Missing OID only newly imported certificates

[heinejeppesen]

Hi,

I'm using the module in an automated build of dev/test environments, using ADCSTemplate through DSC.
Everything works fine, templates are imported and published in the CA.
We import 18 templates (copy of prod) and everything (AD, CA etc) is built from scratch on Server 2022 in Azure.

But quite randomly, some of the templates just doesn't work. I can see them at all, when trying to request them using Certificate MMC (certlm.msc and certmgr.msc) as I can with the working.
Which ones fail is completely random, every time I deploy the complete environment.

Turns out the attribute msPKI-Cert-Template-OID isn't populated, with the forest OID on some of the newly imported templates.

Searching for all newly imported templates, in an AD + CA installed overnight.

From the template in AD - missing the forest OID.

I made a simple DSC function using the 'Script' resource, to look for templates matching our naming and where msPKI-Cert-Template-OID starts with a dot.
Then I add the missing forest OID and then they work ;-)

[zulfi0]

i'm facing the same problem as you, can you share how to fixed it ?

[heinejeppesen]

I added a quick and dirty Script function to our DSC ;-)
Our setup (AD/PKI) for the dev/test setup, are textbook examples, so pretty straightforward.
I do all changes to the PDC emulator, to ensure the changes are done on the same DC.

# The DSC resource in the ADCSTemplate module apparently fails to add the forest OID to some imported templates.
# Only way to get this fixed, until a module fix, is this way.
# msPKI-Cert-Template-OID only contains the certificate OID, not the forest - everything will look good, but certificates will not be available for retrieving..

Script VerifyTemplatePublishing {
    SetScript = {
         $Server = (Get-ADDomain).PDCEmulator
         $ConfigNC     = $((Get-ADRootDSE -Server $Server).configurationNamingContext)
         $MissingOID = @(Get-ADObject -Filter 'ObjectClass -eq "pKICertificateTemplate"' -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,$($configNC)" -Properties name,msPKI-Cert-Template-OID | Where-Object { $_.'msPKI-Cert-Template-OID'.StartsWith('.') -eq $true })

         Write-Verbose "Fixing $($MissingOID.Count) broken Certificate Templates"
        
         If ($MissingOID.Count -gt 0) {
          $OID_Forest = Get-ADObject -Server $Server `
             -Identity "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC" `
             -Properties msPKI-Cert-Template-OID |
             Select-Object -ExpandProperty msPKI-Cert-Template-OID
         
             If ($OID_Forest -ne $null) {

                 $MissingOID | ForEach-Object {
                     Write-Verbose "Fixing $($_.name)"
                     $dn = $_.DistinguishedName
                     $templateOID = $_.'msPKI-Cert-Template-OID'

                     $templateFix = Get-ADObject -Identity $dn
                     $templateFix.'msPKI-Cert-Template-OID' = "$($OID_Forest)$($templateOID)"
                     Set-ADObject -Instance $templateFix
                 }
             }

             Write-Verbose "Waiting 30 seconds for AD to replicate, to ensure test after fix is correct"
             Start-Sleep -Seconds 30
     }
 }

GetScript = {
    $Server = (Get-ADDomain).PDCEmulator
    $ConfigNC     = $((Get-ADRootDSE -Server $Server).configurationNamingContext)
    $MissingOID = @(Get-ADObject -Filter 'ObjectClass -eq "pKICertificateTemplate"' -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,$($configNC)" -Properties name,msPKI-Cert-Template-OID | Where-Object { $_.'msPKI-Cert-Template-OID'.StartsWith('.') -eq $true })
    return @{Result = $MissingOID -join ','}
    return false
}

TestScript = {
    $Server = (Get-ADDomain).PDCEmulator
    $ConfigNC     = $((Get-ADRootDSE -Server $Server).configurationNamingContext)
    $MissingOID = @(Get-ADObject -Filter 'ObjectClass -eq "pKICertificateTemplate"' -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,$($configNC)" -Properties name,msPKI-Cert-Template-OID | Where-Object { $_.'msPKI-Cert-Template-OID'.StartsWith('.') -eq $true })
    
    Write-Verbose "Found $($MissingOID.Count) broken Certificate Templates"

    if ($MissingOID.Count -eq 0 ) { return $true}
    else {return $false}
}
    PsDscRunAsCredential    = $domainAdminCredential
    DependsOn               = "[Script]ImportCertTemplates"
}#Script