Receive-Certificate error

Aug 15, 2013 at 6:37 AM
I'm trying to receive issued valid certificates from standalone CA DB on 2003 r2. Everything is ok with the part of them, but with another part exeption appears.

Command:
Connect-CertificationAuthority -ComputerName $CN|Get-IssuedRequest -Filter "NotAfter -gt $DT","NotBefore -gt $lastDT","SerialNumber -eq $SN"|Receive-Certificate -Path $pathCertIssuedExport -Force

Exeption:
Receive-Certificate : Exception calling "RetrievePending" with "2" argument(s):
"CCertRequest::RetrievePending The data is invalid. 0x8007000d (WIN32: 13)"
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\certExporterFromDBMSCA_v3_eng
CA_test.ps1:70 char:161
  • Connect-CertificationAuthority -ComputerName $CN|Get-IssuedRequest -Filter "N
    otAfter -gt $DT","NotBefore -gt $lastDT","SerialNumber -eq $SN"|Receive-Certifi
    cate <<<< -Path $pathCertIssuedExport -Force
    • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep
      tion
    • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
      n,Receive-Certificate
Coordinator
Aug 15, 2013 at 6:44 AM
Does the following command returns anything:
Connect-CertificationAuthority -ComputerName $CN|Get-IssuedRequest -Filter "NotAfter -gt $DT","NotBefore -gt $lastDT","SerialNumber -eq $SN"
?
Aug 15, 2013 at 6:51 AM
Yes, to all certificates, that i'm trying to recieve.
For example, this is information from "ok-certificate":
RequestID : 5117
Request.RequesterName : CA15\CPCAComPlusAcct&
CommonName : UUU
NotBefore : 22.05.2012 14:04:00
NotAfter : 22.08.2013 14:14:00
SerialNumber : 6e2c576f0000000013fd
ConfigString : RA15\ЦС_2

This is from certificate, that cause exception:
RequestID : 5116
Request.RequesterName : CA15\CPCAComPlusAcct&
CommonName : rzd_test
NotBefore : 17.05.2012 14:38:00
NotAfter : 17.08.2013 14:48:00
SerialNumber : 548bbe400000000013fc
ConfigString : RA15\ЦС_2
Coordinator
Aug 15, 2013 at 7:01 AM
Do I understand correctly, that the command fails only for certain certificates and works es expected for others?
Aug 15, 2013 at 7:02 AM
yes
Coordinator
Aug 15, 2013 at 7:08 AM
I'll take a look and return to you soon.
Coordinator
Aug 15, 2013 at 11:32 AM
Try the following command:
Connect-CertificationAuthority -ComputerName $CN | Get-IssuedRequest -RequestID 5116 | Receive-Certificate -Path $pathCertIssuedExport -Force
and let me know how it works.
Aug 16, 2013 at 5:31 AM
Results are the same:

Receive-Certificate : Exception calling "RetrievePending" with "2" argument(s):
"CCertRequest::RetrievePending The data is invalid. 0x8007000d (WIN32: 13)"
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\certTest.ps1:16 char:107
  • Connect-CertificationAuthority -ComputerName $CN | Get-IssuedRequest -Request
    ID 5116 | Receive-Certificate <<<< -Path $pathCertIssuedExport -Force
    • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep
      tion
    • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio
      n,Receive-Certificate
Coordinator
Aug 16, 2013 at 6:10 AM
I just checked the code against several CAs and cannot repro your issue. In any way, the error is likely is caused by underlying API (ICertRequest::RetrievePending). Can you, please, tell me what returns the following command when running on CA server:

certutil -getreg ca\commonname
Aug 16, 2013 at 7:21 AM
HKLM\System\CurrentControlSet\Services\SertSvc\Configuration!0426!0421_2\CommonName:
CommonName REG_SZ = ЦС_2
Aug 16, 2013 at 7:23 AM
Edited Aug 16, 2013 at 7:26 AM
And I can't repro this exception on other CA's too (( it's a problem, cause it's CA of our client
I have virtual machine with the same MachineName and CAName, where result of certutil is the same and there is no error
Coordinator
Aug 16, 2013 at 7:32 AM
How many request rows are affected? Is this the only row that throws an exception or there are many?

I would suggest to try to open Certification Authority MMC snap-in and try to retrieve the certificate from GUI. If GUI will continue to throw errors, then it may be caused due to CA database corruption.
Aug 16, 2013 at 7:36 AM
8 rows, i have this certificates exported in .p7b, so there was no errors(
Coordinator
Aug 16, 2013 at 7:54 AM
I sent a request to a appropriate Microsoft team. They may ask additional questions, so follow this thread for additional instructions.
Aug 16, 2013 at 8:27 AM
Edited Aug 16, 2013 at 8:43 AM
Thank U much, i'll follow.

For information, there was another problem with Get-CertificationAuthority command at all CA on 2003 r2, sp2 (PSPKI v 2.2, PoSH v.2). This command is in the list, getting by Get-Command, but it isn't recognized as cmdlet and there is no help. So i've tried Connect-CertificationAuthority and it works correctly. Don't know why, but it's so. In 2008 r2 with Get-CertificationAuthority everything is ok.

Error with command:
PS C:\Windows\System32> Get-CertificationAuthority -ComputerName $CN | Get-Issue
dRequest -RequestID 5492 | Receive-Certificate -Path $pathCertIssuedExport -Forc
e
The term 'Get-CertificationAuthority' is not recognized as the name of a cmdlet
, function, script file, or operable program. Check the spelling of the name, o
r if a path was included, verify that the path is correct and try again.
At line:1 char:27
  • Get-CertificationAuthority <<<< -ComputerName $CN | Get-IssuedRequest -Reque
    stID 5492 | Receive-Certificate -Path $pathCertIssuedExport -Force
    • CategoryInfo : ObjectNotFound: (Get-CertificationAuthority:Stri
      ng) [], CommandNotFoundException
    • FullyQualifiedErrorId : CommandNotFoundException
Coordinator
Aug 16, 2013 at 9:19 AM
Edited Aug 16, 2013 at 9:19 AM
Get-CertificationAuthority is not available in non-domain environments ( https://pspki.codeplex.com/wikipage?title=Get-CertificationAuthority ), or if you are logged on with local account (not domain). And do not forget to check the newest PS PKI v2.6 module!
Coordinator
Aug 16, 2013 at 3:38 PM
Ok, let's try this approach:
$certrequest = new-object -com certificateauthority.request
$certrequest.retrievepending(5116,"RA15\ЦС_2")
does this command throws error?
Aug 19, 2013 at 6:24 AM
Yes:

Exception calling "RetrievePending" with "2" argument(s): "CCertRequest::Retrie
vePending The parameter is incorrect. 0x80070057 (WIN32: 87)"
At C:\WINDOWS\system32\WindowsPowerShell\v1.0\certTest2.ps1:5 char:29
  • $certrequest.retrievepending <<<< (5116,"RA15\ЦС_2")
    • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    • FullyQualifiedErrorId : ComMethodTargetInvocation
Coordinator
Aug 19, 2013 at 6:41 AM
ok, try this example:
$certrequest = new-object -com certificateauthority.request
$certrequest.retrievepending(5116,"RA15\!0426!0421_2")
Aug 19, 2013 at 7:37 AM
Results are the same..
Coordinator
Aug 19, 2013 at 9:58 AM
ping me via email (vpodans&sysadmins.lv) to continue conversation. I'll forward you instructions I got from Microsoft.
Coordinator
Aug 22, 2013 at 11:27 AM
I sent you details in email. Just to close this thread: the error is raised because AKI extension value in the leaf certificate does not match SKI value of any active CA certificate. It is expected behavior confirmed by Microsoft.