`Request-SignedCertificate` is failing

[acarnie]

Code of Conduct

• [X] I have read and agree to the Code of Conduct.
• [X] Vote on this issue by adding a 👍 reaction to the original issue initial description to help the maintainers prioritize.
• [X] Do not leave "+1" or other comments that do not add relevant information or questions.
• [X] If you are interested in working on this issue or have submitted a pull request, please leave a comment.

VMware Cloud Foundation

5.1

Module Version

2.7.1

PowerShell Version

7.4

PowerCLI Version

13.1.0

PowerVCF Version

2.4.1

Guest Operating System

Windows Server 2019

Environment Details

Microsoft Server 2019 Enterprise CA Correctly configured VMware certificate template (is already used for all other VCF components) VCF 5.1

Description

This is the command used, and the error I get.

Request-SignedCertificate -mscaComputerName $mscaComputerName -mscaName $mscaName -domainUsername $caUser -domainPassword $caUserPass -certificateTemplate $certificateTemplate -certificateRequestFile ".\SupervisorCluster.csr" -certificateFile ".\SupervisorCluster.cer"

New-CimSession: Access is denied.
 Error at Script Line 6394
 Relevant Command: $cimInstance = Get-CimInstance -CimSession $cimSession -ClassName Win32_ComputerSystem
 Error Message: Cannot bind argument to parameter 'CimSession' because it is null.

Error or Debug Output

I don't have that.

Expected Behavior

I expect that a certificate is generated on the Microsoft CA.

Actual Behavior

I get the error detailed in the error above.

Steps to Reproduce

Create a CSR and then try to create a new certificate.

Log Fragments and Files

No response

Screenshots

No response

References

No response

[GaryJBlake]

@acarnie is the system you are running the cmdlet from joined to the Active Directory domain of the Certificate Authority?

[acarnie]

Yes it is. It is the DC / CA for the domain I am running the command from.

On Wed, Feb 7, 2024 at 10:09 AM Gary Blake @.***> wrote:

@acarnie https://github.com/acarnie is the system you are running the cmdlet from joined to the Active Directory domain of the Certificate Authority?

— Reply to this email directly, view it on GitHub https://github.com/vmware/power-validated-solutions-for-cloud-foundation/issues/470#issuecomment-1931705086, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANMQMAB2IY5CGQJKE6Z53G3YSNHHFAVCNFSM6AAAAABB3UFRLSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZRG4YDKMBYGY . You are receiving this because you were mentioned.Message ID: <vmware/power-validated-solutions-for-cloud-foundation/issues/470/1931705086 @github.com>

-- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

[garlicNova]

@acarnie

"New-CimSession: Access is denied." usually means a permission issue. Os the user account part of Administrator group? Can you try the following to see if you can a successful connection

$cred = Get-Credential
# Use the username and password you provided for Request-SignedcCertificate
New-CimSession -ComputerName $mscaComputerName -Credential $cred

[tenthirtyam]

Assigning to Kevin Teng (@garlicNova) for triage.

[tenthirtyam]

Hi @acarnie - can you review Kevin's comment and verify in your environment?

See https://github.com/vmware/power-validated-solutions-for-cloud-foundation/issues/470#issuecomment-1977346588.

[tenthirtyam]

Spoke to Alasdair directly and confirmed that this can be closed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

[GaryJBlake]

After a follow up conversation this is still an issue, re-opening the ticket.

[GaryJBlake]

Verify that the cert has a SAN

[tenthirtyam]

Unlocked the issue.

[acarnie]

I tried giving the service account "Manage CA" rights, but that did not work. I then removed those rights and added the service account to Domain Admins and the Request-Certificate goes through no problem, but this is a gaping security hole.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.