Cannot get ADCS powershell commands to run.

Jun 12, 2014 at 7:58 PM
I am trying to resolve an issue with Lync not accepting a SHA512 certificate so users cannot connect to the Lync server. I want to change the cryptographic setting from SHA512 to SHA256. I know this can be done via powershell command (Set-CACryptographyConfig). But it and its related cmdlets error out.

In working this issue I am trying to run the Get-CertificationAuthority powershell command and am getting an error that states it is not a recognized cmdlet.

I have installed RSAT on a Domain workstation. Logged into the workstation as a domain user. I am running powershell as administrator.

When I run the Get-Command cmdlet none of the ADCS cmdlets show up.

Any thoughts? Really stumped.
Coordinator
Jun 12, 2014 at 8:02 PM
Did you imported the module into a session?
https://pspki.codeplex.com/documentation
Jun 12, 2014 at 8:10 PM
Just tried that but got an error that PSPKI is not a valid module name.
Jun 12, 2014 at 8:11 PM
I have some PKI cmdlets, but none of the ADCS ones (like Get-CertificationAuthority).
Coordinator
Jun 12, 2014 at 8:12 PM
Make sure if the module is installed in the proper directory. Did you installed it via MSI installer, or as a standalone package? In which directory you installed the module?
Jun 12, 2014 at 8:16 PM
It was a standalone install (Windows6.2-KB2693643-x64.msu for Windows 8) onto a non-internet accessible machine on our private domain. I assume it installed into the default directory (not even asked where I wanted it).

How would I check where it was installed?
Coordinator
Jun 12, 2014 at 8:23 PM
PSPKI is not a part of Windows installation, it is a separate product. You should download and install it first: https://pspki.codeplex.com/releases/view/118221
Jun 12, 2014 at 8:40 PM
OK quick question. I am somewhat new to Server 2012 and powershell. Can I install the aforementioned module without the .exe? network folks aren't too keen on software installation by .exe and would rather see an msi/msu.

I have downloaded the .zip file that has the source. What can I do with it now?

Thank you for your patience.
Coordinator
Jun 13, 2014 at 5:08 AM
EXE file in the download list is just a wrapper over embedded MSI, there is nothing to worry about.
Jun 13, 2014 at 10:49 AM
Edited Jun 13, 2014 at 10:50 AM
OK so I have installed the module on my local machine, and now want to import it. I get the following error when I try to Import as described in the documentation using the "Import-Module PSPKI" command (where xxx.xxx is my user name):

Write-ErrorMessage : Exception of type 'Microsoft.PowerShell.Commands.WriteErrorException' was thrown.
At C:\Users\xxx.xxx\Documents\WindowsPowerShell\Modules\PSPKI\PSPKI.psm1:122 char:9
  • catch {Write-ErrorMessage -Source "CAPIUnavailable"}
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : NotImplemented: (:) [Write-Error], WriteErrorException
    • FullyQualifiedErrorId : NotImplementedException,Write-ErrorMessage
What am I missing on my system. This is a completely new Win 8.1 build so I may well not have some things. I should have all the .Net Frameworks and such, but it appears I am missing some API.

Thank you.
Coordinator
Jun 13, 2014 at 10:53 AM
On main page you will find requirements when running the module on client operating systems. You have to install ADCS remote management tools (RSAT).
Jun 13, 2014 at 10:54 AM
Just figured that out. Sorry. I thought I had already installed the RSAT. I will make sure it is there.
Jun 13, 2014 at 11:09 AM
So I have installed the PSPKI module, but the Get-CertificationAuthority cmdlet doesn't seem to be there when I run Get-Command -Module PSPKI. Son't I need this to run the Set-CACryptographyConfig cmdlet?
Coordinator
Jun 13, 2014 at 11:19 AM
is your machine domain-joined? Get-CertificationAuthority is not availabe on workgroup computers.
Jun 13, 2014 at 11:21 AM
Would it not even show up, or would it just not work? I think my local machine here is not on a domain. If I join it to one, would I need to re-import the pspki module? The system I really want to put this module on is definitely on a domain (internal) but I wanted to test it out first on my local Internet system.
Coordinator
Jun 13, 2014 at 11:26 AM
if your machine is not a member of a domain, then you can't manage enterprise CAs. Though, you can manage standalone CA (Get-CertificationAuthority command is replaced with a Connect-CertificationAuthority) if you have appropriate permissions.
Jun 13, 2014 at 11:36 AM
OK, I will check it all out. Thank you for your patience with this. Hopefully, all will go smoothly once I get it loaded up on our internal domain.

One more quick question though. Can I take all the Module documents installed by the .exe and copy them over to the same directory, and then install the module into powershell?
Coordinator
Jun 13, 2014 at 11:57 AM
Can I take all the Module documents installed by the .exe and copy them over to the same directory, and then install the module into powershell?
yes.