Can't list CRL Distributionpoints

May 21, 2012 at 7:44 AM

I'm trying to use command get-certificationAuthority | get-CRLDistributionPoint but i'm getting error message: "Member RegUri not found for the given .NET object"

Source: Get-CRLDistributionPoint.ps1:16 char 15

Any suggestions?

Coordinator
May 21, 2012 at 9:08 AM
Edited May 21, 2012 at 9:09 AM

this is a bug. It is already fixed in a upcoming release.

As a workaround, you can do the following:

open Get-CRLDistributionPoint.ps1 file and find the code part:

 

$CDP = $CRLUrls | ForEach-Object {
	New-Object PKI.CertificateAuthority.CDP -Property @{
		RegURI = $_
	}
}

and replace it with the following line:

$CDP = $CRLUrls | ForEach-Object {New-Object PKI.CertificateAuthority.CDP $_}

be aware, that this will break digital signature.

May 21, 2012 at 10:57 AM

Thanks, that did the job!

How ever, i'm a bit unsure what you ment by mention that this fix will break the digital signature. I would appreciate if you could enlighten me :-)

Coordinator
May 21, 2012 at 11:15 AM

all files in the module (except help file) are digitally signed. You can take properties of any file and will see Digital Signatures tab. Normally signature status must be valid. But if you edit the contents, an error will be showed.

May 21, 2012 at 12:15 PM

Ok, i got it...

After inserting the replacement code in Get-CRLDistributionPoint I tried to run the command Add-CRLDistributionPoint (i did it like the example in the documentation) but now the "command" throws an error: "New-object:constructor not found. Cannot find an appropriate constructor for type PKI.CertificateAuthority.CDP"

?

Coordinator
May 21, 2012 at 12:54 PM

yes, there were couple bugs (after partial code migration to DLL). Now they all are fixed. To work around your current issue you need to edit Add-CRLDistributionPoint as follows.

find the following lines in Add-CRLDistributionPoint.ps1 file:

$CDP.URI += New-Object PKI.CertificateAuthority.CDP -Property @{
	RegURI = $url
}

and replace it with:

$CDP.URI += New-Object PKI.CertificateAuthority.CDP $url

similar changes are required for Get/Add-AuthorityInformationAccess cmdlets. My apologies. I'll try to publish a new release in this week. I need some time to test entire module to avoid these bad issues.

May 21, 2012 at 1:51 PM
Almost there ;-)

When I add a "http-CRL", I want to add several <flags>...It works fine when I use just one, but I can't figure out witch delimiter I shall use when I want to add several at the same time (4, 8, 128)

Regards,

/Oskar


21 maj 2012 kl. 14:54 skrev Camelot:

From: Camelot

yes, there were couple bugs (after partial code migration to DLL). Now they all are fixed. To work around your current issue you need to edit Add-CRLDistributionPoint as follows.

find the following lines in Add-CRLDistributionPoint.ps1 file:

$CDP.URI += New-Object PKI.CertificateAuthority.CDP -Property @{
	RegURI = $url
}

and replace it with:

$CDP.URI += New-Object PKI.CertificateAuthority.CDP $url

similar changes are required for Get/Add-AuthorityInformationAccess cmdlets. My apologies. I'll try to publish a new release in this week. I need some time to test entire module to avoid these bad issues.


Coordinator
May 21, 2012 at 2:57 PM

sum your values (4+8+128 = 140) and put it as: 140:http://URL/%3%8%9.crl

CA server will automatically figure actual flags.

May 23, 2012 at 7:09 AM
Camelot wrote:

sum your values (4+8+128 = 140) and put it as: 140:http://URL/%3%8%9.crl

CA server will automatically figure actual flags.

I've tried to sum up the values. But when i run the command i can't get the checkbox for "Include in the CDP extension of issued certificates" to be checked. It think it should be the value "8" that set this value...Am I wrong?

Coordinator
May 23, 2012 at 9:14 AM

I think, that 6 (4+2) should be specified with HTTP protocol.

Jun 1, 2012 at 7:29 AM

New day, new problem...

I want to use Remove-CRLDistributionpoint but it wont work. Is it possible that the bugs that was found earlier also exist here!?

Need help.

Coordinator
Jun 1, 2012 at 7:50 AM

Did you call Set-CRLDistributionPoint command? Remove-CRLDistributionPoint changes internal object state, but do not write changes to configuration.

Jun 1, 2012 at 8:02 AM
Camelot wrote:

Did you call Set-CRLDistributionPoint command? Remove-CRLDistributionPoint changes internal object state, but do not write changes to configuration.

Ok, well i'm trying to remove an existing CRLDistributionpoint in CA. Maybe this is a bit backwards, it would be just fine to alter the settings on an existing one rather than remove one first and later add a new... Is it possible to change the settings on an existing CRL Distribution poin, for example, Get-CRL, Set-CRL...

Do you understand what i want to do?

Coordinator
Jun 1, 2012 at 8:29 AM

You can do it, something like this:

Get-CA | Get-CRLDistributionPoint | Remove-CRLDistributionPoint -Uri * | Add-CRLDistributionPoint -Uri "uri1","uri2",.."urin" | Set-CRLDistributionPoint

In that case all URLs will be replaced with the specified in Add-CRLDistributionPoint command.

Jun 1, 2012 at 8:32 AM

Thanks, I'll test it.