AndiBellstedt
commented
1 year ago Would be a nice one. I'll suggest to name the command "Copy-CertificateTemplate" to meet powershell approved verbs and more specific noun-name.
Closed bencoremans closed 8 months ago
AndiBellstedt
commented
1 year ago Would be a nice one. I'll suggest to name the command "Copy-CertificateTemplate" to meet powershell approved verbs and more specific noun-name.
Crypt32
commented
1 year ago I was thinking about this many years ago and failed to get an acceptable design for this.
The problem here is that there are inherent inter-dependencies between various template attributes which are enforced via visual clues and complex logic from the template snap-in. Example: you cannot have "Do not automatically reenroll if a duplicate certificate exists in Active Directory" flag enabled when "Publish certificate in Active Directory" flag is not set. And I will have to implement all these inter-dependencies in my code to avoid template creation which cannot be reproduced in certificate templates MMC.
Maybe I can leverage IX509CertificateTemplateWritable COM interface which implements this logic. However, there are several challenges:
IX509CertificateTemplate interface (efforts are relatively low).EnrollmentFlags, SubjectNameFlags and other flags combinations which will result in constant errors until all flags are corrected. And, of course, this will significantly increase the number of support requests to help put correct flags.These are reasons why there is no Set-CertificateTemplateProperty command.
It is technically possible to implement this, however I'm not sure if benefits will outweigh efforts and likely usability issues.
-Version 2
Previously, template schema version was derived based on exact context menu item selected during template duplication. Beginning with Windows Server 2012, templates moved from straight template version dependency to platform support and exact schema version is chosen based on client and server version combobox selections which will add/remove/enable/disable certain controls. These days, this parameter must be split in two parameters: -ServerVersion and -ClientVersion.
bencoremans
commented
1 year ago Hi Vadims,
Thank you for sharing your insights and concerns regarding the implementation of the "Duplicate-Template" functionality. I appreciate your valuable input and the considerations you've highlighted.
I understand that translating the existing UI controls and intricate logic of certificate template handling into a set of PowerShell parameters might present challenges for users. The potential for errors in specifying EnrollmentFlags, SubjectNameFlags, and other combinations could indeed lead to increased support requests.
However, I believe there is a significant value addition that a graphical user interface (GUI) can offer. A well-designed GUI can guide users through the process of selecting parameters and generating a valid PowerShell command. It can provide a more intuitive and user-friendly experience, potentially mitigating the concerns regarding parameter mapping and erroneous flag combinations.
The GUI can dynamically adjust based on user selections, ensuring that only valid options are presented. Warnings and validations can guide users in making appropriate choices, reducing the likelihood of errors. Ultimately, this approach aims to enhance usability, accuracy, and user confidence in utilizing the PowerShell cmdlet.
I look forward to further discussions on how we can optimize this functionality to strike the right balance between usability and technical accuracy.
Best regards,
Ben Coremans
Crypt32
commented
1 year ago The GUI can dynamically adjust based on user selections, ensuring that only valid options are presented.
this is the same as re-inventing (and adding more bugs since inter-dependency logic is not documented, you have to manually reverse-engineer it) the logic from Certificate Templates MMC to generate a PS script export option. I know, that Server Manager offers such functionality to generate a PS script based on selections in UI dialogs. This is handy, but a very big task for me since I'm still the only developer of PSPKI and have limited time allowed to work on this.
bencoremans
commented
1 year ago Hi Vadims,
Thank you for your continued engagement and thoughtful considerations.
Understanding the complexity and potential challenges of replicating the inter-dependency logic from Certificate Templates MMC within a GUI, I'd like to propose an alternative approach. While reinventing this intricate logic is indeed a significant undertaking, would it be feasible to explore a more simplified avenue?
One potential solution could involve allowing users to create a copy of a template that has been configured using a GUI. This way, users can leverage the logic embedded in the GUI while also providing a straightforward method for automating template adjustments using PowerShell.
For instance, users could export the configuration of a template set up via the GUI to a structured format like JSON using a cmdlet, say Get-CertificateTemplateProperty. They could then use this JSON to modify or create a new template via Set-CertificateTemplateProperty. This approach, I believe, could strike a balance between the ease of GUI-based configuration and the automation capabilities of PowerShell.
Here's a conceptual example:
# Export the configuration of a template set up via GUI
$json = Get-CertificateTemplateProperty -Name "WebServerTemplateX"
# Modify or create a new template using the exported configuration
Set-CertificateTemplateProperty -Input $json -Name "WebServerTemplateY"
This way, while the direct replication of the GUI's dynamic adjustments may not be necessary, we could enable users to automate adjustments based on a configured template.
I'd greatly appreciate your thoughts on this proposed approach.
Best regards,
Ben
bencoremans
commented
1 year ago Hi Vadims,
I came across your insightful article on exporting and importing certificate templates using PowerShell. The article provided a valuable perspective on managing advanced PKI/ADCS operations with PowerShell.
I believe your expertise and the approaches discussed in your article could potentially serve as a valuable reference for implementing this feature. I am planning to thoroughly review your article and explore how the concepts therein might be applicable to the envisioned "Duplicate-Template" functionality.
Your thoughts and insights on this matter would be greatly appreciated.
Best regards,
Ben Coremans
Crypt32
commented
1 year ago Hi Vadims,
I came across your insightful article on exporting and importing certificate templates using PowerShell. The article provided a valuable perspective on managing advanced PKI/ADCS operations with PowerShell.
I believe your expertise and the approaches discussed in your article could potentially serve as a valuable reference for implementing this feature. I am planning to thoroughly review your article and explore how the concepts therein might be applicable to the envisioned "Duplicate-Template" functionality.
that article will solve only first challenge to convert DS template to an appropriate COM object required as input for IX509CertificateTemplateWritable.
They could then use this JSON to modify or create a new template via Set-CertificateTemplateProperty
and how it will solve the issue with mapping UI controls to JSON properties and issues with inter-dependencies? If something is not correct in JSON, IX509CertificateTemplateWritable will fail to read it. Duplicating template as is is not a big deal, the challenge is to edit duplicate template from code properly.
bencoremans
commented
1 year ago Hi Vadims,
Thank you for your insightful response. I've been carefully considering the challenges and intricacies you highlighted regarding template duplication and modification.
If I understand correctly, when duplicating a template using the console and subsequently customizing its properties, it is possible to capture these properties in a structured format like JSON or XML. This data can then be imported to another template as needed. However, I acknowledge that the real challenge lies in ensuring that these properties are correctly mapped to the intricate structure of IX509CertificateTemplateWritable.
I have been using a workaround, involving reverse engineering, where I modify a duplicated template's properties with PowerShell and then import these properties into a blank duplicated template also using PowerShell. However, I realize this might not be the most efficient or optimal approach or even stupid.
Given this, I am eager to explore any suggestions or alternative methods that can streamline this process and address the concerns you've mentioned. If there's a more effective way to handle these properties and maintain the integrity of the template during duplication and modification, I am open to learning and implementing it.
Your guidance and expertise in this matter would be immensely valuable. I truly appreciate your time and consideration.
Best regards,
Ben Coremans
bencoremans
commented
12 months ago Following our discussion on the challenges related to duplicating and editing templates programmatically, I'd like to propose a concept that encompasses export, import, and integrity verification mechanisms.
Concept Overview: Export with Integrity Protection:
Import with Validation:
Flexible Modification:
This approach combines data integrity checks with flexible modification options, empowering users to customize certain properties while preserving critical attributes. The validation process ensures that the imported template adheres to defined standards, avoiding unintended modifications.
I envision this concept addressing the concerns we discussed, particularly regarding maintaining the integrity of the imported template and allowing controlled modifications where needed. However, it's important to note that this proposal requires thoughtful design and implementation to ensure a seamless user experience and maintain security.
Your expertise and insights would be invaluable in evaluating the feasibility and potential benefits of this approach for the PSPKI module. Your guidance in this matter would be highly appreciated.
Looking forward to your thoughts and insights.
Best regards, Ben Coremans
hmiller10
commented
9 months ago @bencoremans - have you seen the PS module ADCSTemplate written by Ashley McGlone, former Microsoft PFE? It has some functions that do, I think, what you are looking for in that module. You can find it on Powershellgallery.com
bencoremans
commented
9 months ago Thank you for pointing me to this PS module. I haven't seen it before. So I will check it out.
Crypt32
commented
9 months ago @bencoremans - have you seen the PS module ADCSTemplate written by Ashley McGlone, former Microsoft PFE? It has some functions that do, I think, what you are looking for in that module. You can find it on Powershellgallery.com
I personally would not recommend that module for production use. The reason is that the module uses Microsoft unsupported practices and fail in proper template registration. See my previous response on the complexity. Unfortunately, mentioned module doesn't solve them.
bencoremans
commented
8 months ago I personally would not recommend that module for production use. The reason is that the module uses Microsoft unsupported practices and fail in proper template registration. See my previous response on the complexity. Unfortunately, mentioned module doesn't solve them.
Hi @Crypt32,
I recently undertook the task of creating a fork of the ADCSTemplate module, which you've previously reviewed. In light of your insightful comments and the concerns you raised about the original module, particularly regarding its use of unsupported practices and issues in template registration, I've made several modifications that I believe address these issues.
The forked repository can be found here: https://github.com/bencoremans/ADCSTemplate.
While it's still a work in progress, I would greatly appreciate it if you could spare some time to review these changes. Your expertise and feedback would be invaluable in ensuring the module aligns with best practices and is viable for production use. I'm particularly interested in your opinion on whether the modifications adequately address the complexities and concerns you highlighted in your previous response.
Thank you in advance for your time and insights. I'm looking forward to your feedback.
bencoremans
commented
8 months ago Replaced with this one: https://github.com/PKISolutions/PSPKI/issues/206
Hi Vadmins,
I am writing to propose a valuable addition to the PSPKI module, a widely used PowerShell tool for managing Public Key Infrastructure (PKI). The proposed feature is the inclusion of a new function named "Duplicate-Template," aiming to enhance the capabilities of template management within the PSPKI module.
Feature Request Details:
Feature Name: Duplicate-Template Functionality
Description:
The proposed "Duplicate-Template" function aims to enable users to easily duplicate an existing certificate template, facilitating the efficient creation of new templates based on existing ones. This functionality will significantly enhance template management within the PSPKI module and streamline the process of creating similar templates with slight modifications or updates.
Key Benefits:
Example:
Duplicate-Template -TemplateName "ExistingTemplate" -NewTemplateName "NewTemplate" -DisplayName "Display Name for New Template" -Version 2 -ValidityPeriod "3650.00:00:00" -KeyUsage 0 -EnrollmentFlags 'None'
I believe that this feature will greatly enhance the functionality and usability of the PSPKI module, aligning with the needs of administrators managing PKI in diverse environments. Your consideration of this feature request is highly appreciated.
Thank you for your continuous efforts in improving the PSPKI module, and I look forward to seeing this enhancement in future releases.
Best regards,
Ben Coremans