New-SelfsignedCertificateEx : Exception setting "ProviderName":

[dnienhis]

On a new/fresh install (and all Microsoft Updates Applied) Windows Server 2012 R2 Standard Server I did:

PS C:\Users\Administrator> Add-windowsfeature 'RSAT'
Success Restart Needed Exit Code Feature Result

---

True No Success {Hyper-V Module for Windows PowerShell, Hy...
PS C:\Users\Administrator> Install-Module -name 'PSPKI'
PS C:\Users\Administrator> Import-Module 'PSPKI'
PS C:\Users\Administrator> Get-Module -name 'PSPKI'

ModuleType Version Name ExportedCommands

---

Script 3.4.0.1 PSPKI {Add-AdCertificate, Add-AdCertificateRevocationList, Add...

Then attempted Example 1 in PSPKI Help for New-SelfSignedCertificateEx:

New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Signature" `
-KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter $((Get-Date).AddYears(5))

And Get this Error:

New-SelfsignedCertificateEx : Exception setting "ProviderName": "Unable to cast COM object of type
'CERTENROLLLib.CX509PrivateKeyClass' to interface type 'CERTENROLLLib.IX509PrivateKey2'. This operation failed
because the QueryInterface call on the COM component for the interface with IID
'{728AB362-217D-11DA-B2A4-000E7BBB2B09}' failed due to the following error: No such interface supported (Exception
from HRESULT: 0x80004002 (E_NOINTERFACE))."
At line:1 char:1

• New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Cod ...

•   + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificateEx], SetValueInvocationException
    + FullyQualifiedErrorId : ExceptionWhenSetting,New-SelfSignedCertificateEx
  
  

Also tried several of the other examples and get similar errors. I had been using your PSPKI module for quite some time with no problems - almost seems like related to most recent update but I could be wrong or doing something wrong?

PS C:> $psversiontable

Name Value

---

PSVersion 5.1.14409.1005
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14409.1005
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

[ykuijs]

With the release of PSPKI v3.4.0.1 I am also experiencing this issue. Repro:

Running the following command results in the same error as above and will even crash the PowerShell ISE:

$certificateSubject = 'TestDscEncryptionCert'
$newSelfSignedCertificateExParameters = @{
    Subject            = "CN=$certificateSubject"
    EKU                = 'Document Encryption'
    KeyUsage           = 'KeyEncipherment, DataEncipherment'
    SAN                = "dns:$certificateSubject"
    FriendlyName       = 'DSC Credential Encryption certificate'
    Exportable         = $true
    StoreLocation      = 'LocalMachine'
    KeyLength          = 2048
    ProviderName       = 'Microsoft Enhanced Cryptographic Provider v1.0'
    AlgorithmName      = 'RSA'
    SignatureAlgorithm = 'SHA256'
}

$certificate = New-SelfSignedCertificateEx @newSelfSignedCertificateExParameters

Error:

New-SelfSignedCertificateEx : Exception setting "ProviderName": "Unable to cast COM object of type
'CERTENROLLLib.CX509PrivateKeyClass' to interface type 'CERTENROLLLib.IX509PrivateKey2'. This operation failed because
the QueryInterface call on the COM component for the interface with IID '{728AB362-217D-11DA-B2A4-000E7BBB2B09}'
failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE))."
At line:1 char:16
+ ... rtificate = New-SelfSignedCertificateEx @newSelfSignedCertificateExPa ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificateEx], SetValueInvocationException
    + FullyQualifiedErrorId : ExceptionWhenSetting,New-SelfSignedCertificateEx

[Crypt32]

I can confirm that this issue is reproduced on pre-Windows 10 and pre-Windows Server 2016 systems. When running the code on Windows 10 it is working as expected:

[vPodans] $certificateSubject = 'TestDscEncryptionCert'
[vPodans] $newSelfSignedCertificateExParameters = @{
>>     Subject            = "CN=$certificateSubject"
>>     EKU                = 'Document Encryption'
>>     KeyUsage           = 'KeyEncipherment, DataEncipherment'
>>     SAN                = "dns:$certificateSubject"
>>     FriendlyName       = 'DSC Credential Encryption certificate'
>>     Exportable         = $true
>>     StoreLocation      = 'CurrentUser'
>>     KeyLength          = 2048
>>     ProviderName       = 'Microsoft Enhanced Cryptographic Provider v1.0'
>>     AlgorithmName      = 'RSA'
>>     SignatureAlgorithm = 'SHA256'
>> }
[vPodans]
[vPodans] $certificate = New-SelfSignedCertificateEx @newSelfSignedCertificateExParameters
[vPodans] $certificate

Thumbprint                                Subject
----------                                -------
8A3D3561CE8F59EA8C84C084668F90470D5AAB94  CN=TestDscEncryptionCert


[vPodans]

The issue is caused by this line (https://github.com/Crypt32/pkix.net/blob/5b0217f1b32897b21ce831ce2ca22c1a7cf912c4/PKI/Cryptography/X509PrivateKeyBuilder.cs#L14):
readonly IX509PrivateKey2 _keyGen = new CX509PrivateKeyClass();
It seems that IX509PrivateKey2 interface was introduced in Windows 10, because I can't find any documentation about it. I'm going to change this ASAP.

[Crypt32]

Adding new info: it seems that there is a PowerShell issue as well. Trying the code on pre-Windows 10, the PowerShell console is crashed. Still investigating the issue.

[Crypt32]

Ok, got more details. This issue is more serious than I thought initially. The fix provided in PKISolutions/pkix.net@71a2bed doesn't help much. The issue still persist.

I made deeper investigation and found that Interop.CERTENROLL.dll interop library from Windows 10 (my development environment) is not compatible with previous versions. I will check if I can create interop library from previous OS versions.

[Crypt32]

Resolved this issue. I was forced to make a new CertEnroll interop library from Windows 8.1/Windows Server 2012 R2 which doesn't include IX509PrivateKey2 interface. Also, I found some incompatibilites with Windows Vista/Windows Server 2008. Now, everything mentioned in this thread is solved.

I'm accepting bugs till saturday (and which will most likely solved) and by monday I will release patch version (3.4.1) on PS Gallery. Here is patch version for you to test:
PSPKI-v3.4.1-patch.zip

[PatrickOnGit]

Thanks for the update.

Is it expected that the private KeyContainerName is returned even though the returned certificate object is stored in a variable?

PS C:\Users > $certificate = New-SelfSignedCertificateEx @newSelfSignedCertificateExParameters
tp-19ce6f70-c30c-4cf1-946d-6dc399b51a49

I think this is due to a missing [void] calling a .net Method.

Best regards
Patrick

[Crypt32]

Is it expected that the private KeyContainerName is returned even though the returned certificate object is stored in a variable?

no. It is an artifact from my testing at this line: https://github.com/Crypt32/pkix.net/blob/fad3f5c6fc08eaf79241464d477c3860dcd1420e/PKI/Tools/MessageOperations/MessageSigner.cs#L300. There was an issue with NCryptOpenKey function call which failed for me. I put Console.WriteLine to see if function parameters are correct. The issue was, actually, with dwLegacyKeySpec parameter.

BTW, does patch version work for you?

[PatrickOnGit]

Good morning Vadims Yes it does. Windows Server 2012 R2. Thank you. Patrick

________________________________ Von: Vadims Podans <notifications@github.com> Gesendet: Mittwoch, 17. Oktober 2018 21:42 An: Crypt32/PSPKI Cc: PatrickOnGit; Comment Betreff: Re: [Crypt32/PSPKI] New-SelfsignedCertificateEx : Exception setting "ProviderName": (#56)

Is it expected that the private KeyContainerName is returned even though the returned certificate object is stored in a variable?

no. It is an artifact from my testing at this line: https://github.com/Crypt32/pkix.net/blob/fad3f5c6fc08eaf79241464d477c3860dcd1420e/PKI/Tools/MessageOperations/MessageSigner.cs#L300. There was an issue with `NCryptOpenKey` function call which failed for me. I put `Console.WriteLine` to see if function parameters are correct. The issue was, actually, with `dwLegacyKeySpec` parameter. BTW, does patch version work for you?

…

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #56 (comment)

[dnienhis]

Just tested your 'patched' version - all works well for me - THANK YOU!

[dnienhis]

Maybe I spoke/typed too soon 👎

Tried another test on Windows Server 2012 R2 with all updates installed - Powershell v 5.0 - using your patch version from .zip above - here's what I see:

PS C:\Users\Administrator> import-module c:\pspki
get-module pspki

$ADFSSelfSignedCertificateExParameters = @{
Subject = 'CN=*.nienhiserlab.com'
ProviderName = 'Microsoft Enhanced RSA and AES Cryptographic Provider'
KeyLength = 2048
FriendlyName = 'NienhiserADFS SelfSigned'
SignatureAlgorithm = 'SHA256'
AlgorithmName = 'RSA'
EKU = 'Server Authentication', 'Client authentication'
KeyUsage = 'KeyEncipherment, DigitalSignature'
SAN = 'dns:adfs.nienhiserlab.com'
Exportable = $true
StoreLocation = 'LocalMachine'
}

$adfscertificate = New-SelfSignedCertificateEx @ADFSSelfSignedCertificateExParameters

ModuleType Version Name ExportedCommands

---

Script 3.4.0.1 pspki {Add-AdCertificate, Add-AdCertificateRevocationList, Add...
lp-83b8a3bf-0a1a-48d4-8210-f673b5fe8767
New-SelfSignedCertificateEx : Exception calling "Build" with "1" argument(s): "Keyset does not exist
"
At line:19 char:20

• ... rtificate = New-SelfSignedCertificateEx @ADFSSelfSignedCertificateExP ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [New-SelfSignedCertificateEx], MethodInvocationException
  • FullyQualifiedErrorId : CryptographicException,New-SelfSignedCertificateEx

This did work with previous versions

The Good news is that your example that wouldn't work (again on WS2K12R2) prior to the patch .zip above now works OK:

PS C:\Users\Administrator> $cert=New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Signature" `
-KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter $((Get-Date).AddYears(5))

lp-6dd5ca6a-078f-4fe7-bc8e-c155e6c443c1

PS C:\Users\Administrator>

[Crypt32]

I will take a look. There is something wrong with machine context. If you specify store loacation as current user, the command will succeed.

[Crypt32]

I fixed the last piece of the issue in this thread. @dnienhis tested your example and it now works in machine context as well.

[Crypt32]

Update delivered to PS Gallery: https://www.powershellgallery.com/packages/PSPKI/3.4.1.0

[dnienhis]

I just downloaded the update - my test/example now works fine - thank you very much - however the examples from your help file are not quite so happy - unless i'm doing something wrong. Again, testing on W2K12R2 server. Here's the output:

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> uninstall-module pspki
PS C:\Users\Administrator> install-module pspki

Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its
InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from
'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
WARNING: Version '3.4.0.1' of module 'PSPKI' is already installed at 'C:\Program
Files\WindowsPowerShell\Modules\PSPKI\3.4.0.1'. To install version '3.4.1.0', run Install-Module and add the -Force
parameter, this command will install version '3.4.1.0' in side-by-side with version '3.4.0.1'.
PS C:\Users\Administrator> install-module pspki -Force
PS C:\Users\Administrator> get-module

ModuleType Version Name ExportedCommands

---

Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Con...
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Binary 1.0.0.1 PackageManagement {Find-Package, Find-PackageProvider, Get-Package, Get-Pack...
Script 1.0.0.1 PowerShellGet {Find-Command, Find-DscResource, Find-Module, Find-RoleCap...

PS C:\Users\Administrator> import-module pspki
PS C:\Users\Administrator> get-module

ModuleType Version Name ExportedCommands

---

Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Con...
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Binary 1.0.0.1 PackageManagement {Find-Package, Find-PackageProvider, Get-Package, Get-Pack...
Script 1.0.0.1 PowerShellGet {Find-Command, Find-DscResource, Find-Module, Find-RoleCap...
Script 3.4.1.0 pspki {Add-AdCertificate, Add-AdCertificateRevocationList, Add-A...

PS C:\Users\Administrator> New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Sig
nature" `

-KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter $((Get-Date).AddYears(5))

Thumbprint Subject

---

215F1588C9B92322BF812FFFEF6D290115CCA7A3 CN=Test Code Signing

PS C:\Users\Administrator> New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Clien
tauthentication" `

-KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" -AllowSMIME -Path C:\temp\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable
-StoreLocation "LocalMachine"

New-SelfSignedCertificateEx : Cannot process argument transformation on parameter 'KeyUsage'. Cannot convert value
"KeyEcipherment, DigitalSignature" to type "System.Security.Cryptography.X509Certificates.X509KeyUsageFlags". Error:
"Unable to match the identifier name KeyEcipherment, DigitalSignature to a valid enumerator name. Specify one of the
following enumerator names and try again:
None, EncipherOnly, CrlSign, KeyCertSign, KeyAgreement, DataEncipherment, KeyEncipherment, NonRepudiation,
DigitalSignature, DecipherOnly"
At line:2 char:11

• -KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","w ...

•       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [New-SelfSignedCertificateEx], ParameterBindingArgumentTransformationEx
    ception
  • FullyQualifiedErrorId : ParameterArgumentTransformationError,New-SelfSignedCertificateEx

PS C:\Users\Administrator> New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Clien
t authentication" `

-KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storage Provider" -AlgorithmName ecdsa_p256
-KeyLength 256 -SignatureAlgorithm sha256

New-SelfSignedCertificateEx : Cannot process argument transformation on parameter 'KeyUsage'. Cannot convert value
"KeyEcipherment, DigitalSignature" to type "System.Security.Cryptography.X509Certificates.X509KeyUsageFlags". Error:
"Unable to match the identifier name KeyEcipherment, DigitalSignature to a valid enumerator name. Specify one of the
following enumerator names and try again:
None, EncipherOnly, CrlSign, KeyCertSign, KeyAgreement, DataEncipherment, KeyEncipherment, NonRepudiation,
DigitalSignature, DecipherOnly"
At line:2 char:11

• -KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","w ...

•       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (:) [New-SelfSignedCertificateEx], ParameterBindingArgumentTransformationEx
    ception
  • FullyQualifiedErrorId : ParameterArgumentTransformationError,New-SelfSignedCertificateEx

PS C:\Users\Administrator> New-SelfsignedCertificateEx -Subject "CN=Test Root CA, OU=Sandbox" -IsCA $true -ProviderName
`

"Microsoft Software Key Storage Provider" -Exportable

Thumbprint Subject

---

3ACB9201C37263D38D198DE29FCCD118F59E83EB CN=Test Root CA, OU=Sandbox

PS C:\Users\Administrator> $ADFSSelfSignedCertificateExParameters = @{

Subject            = 'CN=*.nienhiserlab.com'
ProviderName       = 'Microsoft Enhanced RSA and AES Cryptographic Provider'
KeyLength          = 2048
FriendlyName       = 'NienhiserADFS SelfSigned'
SignatureAlgorithm = 'SHA256'
AlgorithmName      = 'RSA'
EKU                = 'Server Authentication', 'Client authentication'
KeyUsage           = 'KeyEncipherment, DigitalSignature'
SAN                = 'dns:adfs.nienhiserlab.com'
Exportable         = $true
StoreLocation      = 'LocalMachine'

}

PS C:\Users\Administrator> $adfscertificate = New-SelfSignedCertificateEx @ADFSSelfSignedCertificateExParameters
PS C:\Users\Administrator>
PS C:\Users\Administrator>
PS C:\Users\Administrator>

[Crypt32]

I will update online help as soon as I can.

[Crypt32]

In a given failed examples, there is a typo in "KeyEncipherment", help refers to "KeyEcipherment" with missed "n" character. Also, examples with "-File" parameter won't work (even though, it works, but must use parameters within selected parameter set).