Quantcast
Viewing all 729 articles
Browse latest View live

Updated Wiki: Home

August 10, 2014, 12:07 pm
$
0
0


Image may be NSFW.
Clik here to view. Powered by Windows PowerShell

Project Description
This module is intended to simplify certain PKI management tasks by using automation with Windows PowerShell.

This module is intended for Certification Authority management. For local certificate store management you should consider to useQuest AD PKI cmdlets.

Module Requirements

  • Windows PowerShell 3.0
  • .NET Framework 4.0

This module can run on any of the specified operating system:

  • Windows Server 2008*/2008 R2/2012/2012 R2
  • Windows Vista**/7**/8**/8.1**

*— Server Core installation is not supported.
**— with installed RSAT (Remote System Administration Tools)

Certification Authority requirements
This module supports Enterprise or Standalone Certification Authority servers that are running one the following operating system:

  • Windows Server 2003/2003 R2/2008 (including Server Core)/2008 R2 (including Server Core)/2012 (including Server Core)

Command list:
Full command list for the latest release:

The following technologies and products were used to design this module:

Search

Released: PowerShell PKI Module v3.0 (Aug 10, 2014)

August 10, 2014, 12:12 pm
$
0
0
Important: I would like to hear more about what you are thinking about the project? I appreciate that you like it (2000 downloads over past 6 months), but may be you have to say something? What do you dislike in the module? Maybe you would love to see some new functionality? Tell, what you think!

Installation guide:

  • Use default installation path to install this module for current user only.
  • To install this module for all users — enable "Install for all users" check-box in installation UI
  • if previous module installations are detected, they are removed during upgrade.

Breaking Changes

With this release I completely discontinue module installation on Windows XP and Windows Server 2003. However, you still can manage Windows Server 2003-based CA servers.
  • Underlying API library is compiled under .NET Framework 4.0
  • Due to .NET 4.0, PowerShell 2.0 is no longer supported. The minimum supported PowerShell version is 3.0.
  • If you still need to run the module on leagacy operating systems, use PSPKI v2.8.

Release notes for version 3.0

New commands:

  • Get-CertificateRequest
  • Get-CASecurityDescriptor
  • Add-CAAccessControlEntry
  • Remove-CAAccessControlEntry
  • Set-CAAccessControlEntry
  • Get-DatabaseRow
  • Remove-DatabaseRow
  • Set-CertificateExtension

Deprecated commands:

  • Get-IssuedCRL
  • Remove-Request

more details in my weblog:
PKI.Core.dll API documentation is published at http://pkix2.sysadmins.lv/library/. PKI.Core.dll sources are published in PKILib 3.0.0.0.zip

for details about new commands please see main page: http://pspki.codeplex.com/

p.s. if you found a bug, or want to suggest new features, please open a working item inIssue Tracker: http://pspki.codeplex.com/workitem/list/basic
for general discussions you can post here: http://pspki.codeplex.com/discussions

Updated Release: PowerShell PKI Module v3.0 (aug 10, 2014)

August 10, 2014, 12:12 pm
$
0
0
Important: I would like to hear more about what you are thinking about the project? I appreciate that you like it (2000 downloads over past 6 months), but may be you have to say something? What do you dislike in the module? Maybe you would love to see some new functionality? Tell, what you think!

Installation guide:

  • Use default installation path to install this module for current user only.
  • To install this module for all users — enable "Install for all users" check-box in installation UI
  • if previous module installations are detected, they are removed during upgrade.

Breaking Changes

With this release I completely discontinue module installation on Windows XP and Windows Server 2003. However, you still can manage Windows Server 2003-based CA servers.
  • Underlying API library is compiled under .NET Framework 4.0
  • Due to .NET 4.0, PowerShell 2.0 is no longer supported. The minimum supported PowerShell version is 3.0.
  • If you still need to run the module on leagacy operating systems, use PSPKI v2.8.

Release notes for version 3.0

New commands:

  • Get-CertificateRequest
  • Get-CASecurityDescriptor
  • Add-CAAccessControlEntry
  • Remove-CAAccessControlEntry
  • Set-CAAccessControlEntry
  • Get-DatabaseRow
  • Remove-DatabaseRow
  • Set-CertificateExtension

Deprecated commands:

  • Get-IssuedCRL
  • Remove-Request

more details in my weblog:
PKI.Core.dll API documentation is published at http://pkix2.sysadmins.lv/library/. PKI.Core.dll sources are published in PKILib 3.0.0.0.zip

for details about new commands please see main page: http://pspki.codeplex.com/

p.s. if you found a bug, or want to suggest new features, please open a working item in Issue Tracker: http://pspki.codeplex.com/workitem/list/basic
for general discussions you can post here: http://pspki.codeplex.com/discussions

Released: PowerShell PKI Module v3.0 (Aug 10, 2014)

August 11, 2014, 5:01 am
$
0
0
Important: I would like to hear more about what you are thinking about the project? I appreciate that you like it (2000 downloads over past 6 months), but may be you have to say something? What do you dislike in the module? Maybe you would love to see some new functionality? Tell, what you think!

Installation guide:

  • Use default installation path to install this module for current user only.
  • To install this module for all users — enable "Install for all users" check-box in installation UI
  • if previous module installations are detected, they are removed during upgrade.

Breaking Changes

With this release I completely discontinue module installation on Windows XP and Windows Server 2003. However, you still can manage Windows Server 2003-based CA servers.
  • Underlying API library is compiled under .NET Framework 4.0
  • Due to .NET 4.0, PowerShell 2.0 is no longer supported. The minimum supported PowerShell version is 3.0.
  • If you still need to run the module on leagacy operating systems, use PSPKI v2.8.

Release notes for version 3.0

New commands:

  • Get-CertificateRequest
  • Get-CASecurityDescriptor
  • Add-CAAccessControlEntry
  • Remove-CAAccessControlEntry
  • Set-CAAccessControlEntry
  • Get-DatabaseRow
  • Remove-DatabaseRow
  • Set-CertificateExtension

Deprecated commands:

  • Get-IssuedCRL
  • Remove-Request

more details in my weblog:
PKI.Core.dll API documentation is published at http://pkix2.sysadmins.lv/library/. PKI.Core.dll sources are published in PKILib 3.0.0.0.zip

for details about new commands please see main page: http://pspki.codeplex.com/

p.s. if you found a bug, or want to suggest new features, please open a working item inIssue Tracker: http://pspki.codeplex.com/workitem/list/basic
for general discussions you can post here: http://pspki.codeplex.com/discussions

Updated Release: PowerShell PKI Module v3.0 (aug 10, 2014)

August 11, 2014, 5:01 am
$
0
0
Important: I would like to hear more about what you are thinking about the project? I appreciate that you like it (2000 downloads over past 6 months), but may be you have to say something? What do you dislike in the module? Maybe you would love to see some new functionality? Tell, what you think!

Installation guide:

  • Use default installation path to install this module for current user only.
  • To install this module for all users — enable "Install for all users" check-box in installation UI
  • if previous module installations are detected, they are removed during upgrade.

Breaking Changes

With this release I completely discontinue module installation on Windows XP and Windows Server 2003. However, you still can manage Windows Server 2003-based CA servers.
  • Underlying API library is compiled under .NET Framework 4.0
  • Due to .NET 4.0, PowerShell 2.0 is no longer supported. The minimum supported PowerShell version is 3.0.
  • If you still need to run the module on leagacy operating systems, use PSPKI v2.8.

Release notes for version 3.0

New commands:

  • Get-CertificateRequest
  • Get-CASecurityDescriptor
  • Add-CAAccessControlEntry
  • Remove-CAAccessControlEntry
  • Set-CAAccessControlEntry
  • Get-DatabaseRow
  • Remove-DatabaseRow
  • Set-CertificateExtension

Deprecated commands:

  • Get-IssuedCRL
  • Remove-Request

more details in my weblog:
PKI.Core.dll API documentation is published at http://pkix2.sysadmins.lv/library/. PKI.Core.dll sources are published in PKILib 3.0.0.0.zip

for details about new commands please see main page: http://pspki.codeplex.com/

p.s. if you found a bug, or want to suggest new features, please open a working item in Issue Tracker: http://pspki.codeplex.com/workitem/list/basic
for general discussions you can post here: http://pspki.codeplex.com/discussions

Updated Wiki: Home

August 12, 2014, 10:38 pm
$
0
0


Image may be NSFW.
Clik here to view. Powered by Windows PowerShell

Project Description
This module is intended to simplify certain PKI management tasks by using automation with Windows PowerShell.

This module is intended for Certification Authority management. For local certificate store management you should consider to useQuest AD PKI cmdlets.

Module Requirements

  • Windows PowerShell 3.0
  • .NET Framework 4.0

This module can run on any of the specified operating system:

  • Windows Server 2008*/2008 R2/2012/2012 R2
  • Windows Vista**/7**/8**/8.1**

*— Server Core installation is not supported.
**— with installed RSAT (Remote System Administration Tools)

Certification Authority requirements
This module supports Enterprise or Standalone Certification Authority servers that are running one the following operating system:

  • Windows Server 2003/2003 R2/2008 (including Server Core)/2008 R2 (including Server Core)/2012 (including Server Core)/2012 R2 (including Server Core)

Command list:
Full command list for the latest release:

The following technologies and products were used to design this module:

Updated Wiki: Home

August 12, 2014, 10:41 pm
$
0
0


Image may be NSFW.
Clik here to view. Powered by Windows PowerShell

Project Description
This module is intended to simplify certain PKI management tasks by using automation with Windows PowerShell.

This module is intended for Certification Authority management. For local certificate store management you should consider to useQuest AD PKI cmdlets.

Module Requirements

  • Windows PowerShell 3.0
  • .NET Framework 4.0

This module can run on any of the specified operating system:

  • Windows Server 2008*/2008 R2/2012/2012 R2
  • Windows Vista**/7**/8**/8.1**

*— Server Core installation is not supported.
**— with installed RSAT (Remote System Administration Tools)

Certification Authority requirements
This module supports Enterprise or Standalone Certification Authority servers that are running one the following operating system:

  • Windows Server 2003/2003 R2
  • Windows Server 2008 (including Server Core)
  • Windows Server 2008 R2 (including Server Core)
  • Windows Server 2012 (including Server Core)
  • Windows Server 2012 R2 (including Server Core)

Command list:
Full command list for the latest release:

The following technologies and products were used to design this module:

New Post: translate the Request.StatusCode

August 27, 2014, 12:13 pm
$
0
0
It's possible to translate the Request.StatusCode (from Get-FailedRequest) to it's corresponding text "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422)"? And how?

RequestID : 411
Request.StatusCode : -2146877422
Request.DispositionMessage : Denied by Policy Module
Request.SubmittedWhen : 15.07.2014 10:58:53
Request.CommonName : cname
CertificateTemplate :1.21.8.14124815.13763859.4670593.6739376.12932320.234.5355479.1536
RowId : 411
ConfigString : SubCA
Table : Request
Search

New Post: translate the Request.StatusCode

August 27, 2014, 12:19 pm
$
0
0
Yes, it is possible externally. In other words it is not done automatically. If you want to convert HRESULT statuses, you can use Get-ErrorMessage command from the module. Example:
PS C:\> Get-ErrorMessage -2146877422
The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
PS C:\>

Created Unassigned: [Feature request] Allow easy retrieval of local CA instance [67]

September 2, 2014, 11:16 am
$
0
0
Hello,

First, I wanted to say you did a wonderful job with the 3.0 release!

Another (very minor) feature request from me... Most of the time (in my case anyway) you execute PSPKI commands from the CA server itself but still you always have to pass to (almost) every command an instance of the CA that you have to previously retrieve through either the machine name or the CA name.

I ended creating a small helper function that retrieve the CA object for the local server and thought it might be useful to others as well.

Even better than a helper function that gets the local instance (which would still be useful in some cases), it would be good that all cmdlets that expect a CertificationAuthority object as input consider no value as the local CA (and throw an exception if the local machine is not a CA of course).

Jordan

Created Unassigned: [Bug] OCSPRequest and nonce support [68]

September 2, 2014, 11:25 am
$
0
0
Hi again,

It seems there was a regression between v2.8 and v3.0 on OCSP support for nonce values.
With v2.8, when I executed:
```
New-Object PKI.OCSP.OCSPRequest $cert, $true
```
I got in return `Nonce=$true` and `NonceValue=random_value` but now with 3.0 `Nonce` is still `$true` but `NonceValue` is now empty.

When looking at the source, `NonceValue` indeed does not seem to be initialized anywhere and the private m_encode method was simplified and does not generate a nonce anymore.

Jordan

Commented Unassigned: [Feature request] Allow easy retrieval of local CA instance [67]

September 2, 2014, 11:52 am
$
0
0
Hello,

First, I wanted to say you did a wonderful job with the 3.0 release!

Another (very minor) feature request from me... Most of the time (in my case anyway) you execute PSPKI commands from the CA server itself but still you always have to pass to (almost) every command an instance of the CA that you have to previously retrieve through either the machine name or the CA name.

I ended creating a small helper function that retrieve the CA object for the local server and thought it might be useful to others as well.

Even better than a helper function that gets the local instance (which would still be useful in some cases), it would be good that all cmdlets that expect a CertificationAuthority object as input consider no value as the local CA (and throw an exception if the local machine is not a CA of course).

Jordan
Comments: > Most of the time (in my case anyway) you execute PSPKI commands from the CA server itself It is not recommended to run the module from CA server. Any logon to CA server should be restricted. Therefore all server-side commands do support remote CAs. That is, CA administrator should manage CA server from his own PC. This is why I didn't added local CA default lookup. In addition, the module is intended to manage CAs in bulk. Say, restart all CAs in the forest: Get-CA | Restart-CA. I know, certutil is designed to use local CA by default, but it isn't a good practice from my (and other PKI experts) perspective. CA server should be managed remotely. Therefore, it is unlikely that I will change designed behavior (not because I don't want) and it would be reasonable to create a helper if necessary.

Commented Unassigned: [Bug] OCSPRequest and nonce support [68]

September 2, 2014, 12:14 pm
$
0
0
Hi again,

It seems there was a regression between v2.8 and v3.0 on OCSP support for nonce values.
With v2.8, when I executed:
```
New-Object PKI.OCSP.OCSPRequest $cert, $true
```
I got in return `Nonce=$true` and `NonceValue=random_value` but now with 3.0 `Nonce` is still `$true` but `NonceValue` is now empty.

When looking at the source, `NonceValue` indeed does not seem to be initialized anywhere and the private m_encode method was simplified and does not generate a nonce anymore.

Jordan
Comments: Yes, NonceValue property is not updated by the code. However, Nonce value is added to the request object (you can see it in the RawData property of OCSPRequest object). I'll update this part. if you can compile sources, you can add this line at the end of IF clause (line 192): ``` C# NonceValue = listExtensions[listExtensions.Count - 1].Format(false); ```

Commented Unassigned: [Bug] OCSPRequest and nonce support [68]

September 2, 2014, 1:09 pm
$
0
0
Hi again,

It seems there was a regression between v2.8 and v3.0 on OCSP support for nonce values.
With v2.8, when I executed:
```
New-Object PKI.OCSP.OCSPRequest $cert, $true
```
I got in return `Nonce=$true` and `NonceValue=random_value` but now with 3.0 `Nonce` is still `$true` but `NonceValue` is now empty.

When looking at the source, `NonceValue` indeed does not seem to be initialized anywhere and the private m_encode method was simplified and does not generate a nonce anymore.

Jordan
Comments: I checked previous version and it looks like this part was missing while I rewrote the code. But, as I said, Nonce is sent to the server. Also I found another related issue. Value property of X509NonceExtension has no setter, which should be and this accesser should be set from this constructor: ``` c# public X509NonceExtension(AsnEncodedData nonceValue, Boolean critical) ``` therefore, returned nonce value is displayed (only displayed) as zero in all cases. I fixed this part already: OCSPResponse.cs, line replace line 256 - 262 with the collowing: ``` c# foreach (X509Extension item in exts) { Cryptography.AddExtensionToCollection(item, ref listExtensions); if (listExtensions[listExtensions.Count - 1].Oid.Value == "1.3.6.1.5.5.7.48.1.2") { NonceReceived = true; NonceValue = listExtensions[listExtensions.Count - 1].Format(false); } } ``` and here is new X509NonceExtension.cs file (with removed comments): ``` c# using PKI.ASN; using PKI.ManagedAPI; using System.Globalization; using System.Linq; using System.Text; namespace System.Security.Cryptography.X509Certificates { public sealed class X509NonceExtension : X509Extension { readonly Oid oid = new Oid("1.3.6.1.5.5.7.48.1.2", "OCSP Nonce"); public X509NonceExtension() { m_initialize(); } public X509NonceExtension(AsnEncodedData nonceValue, Boolean critical) { Oid = oid; RawData = nonceValue.RawData; Critical = critical; ASN1 asn = new ASN1(nonceValue.RawData); Value = Crypt32Managed.CryptBinaryToString(asn.Payload, CryptEncoding.CRYPT_STRING_HEX, 0); } public String Value { get; private set; } void m_initialize() { Char[] noncechars = DateTime.Now.Ticks.ToString(CultureInfo.InvariantCulture).ToCharArray(); Critical = false; Oid = oid; Byte[] charBytes = noncechars.Select(Convert.ToByte).ToArray(); Value = Crypt32Managed.CryptBinaryToString(charBytes, CryptEncoding.CRYPT_STRING_HEX, 0); RawData = ASN1.Encode(charBytes.ToArray(), 4); } public override String Format(Boolean multiLine) { StringBuilder SB = new StringBuilder(); SB.Append("Nonce value: " + Value); if (multiLine) { SB.Append(Environment.NewLine); } return SB.ToString(); } } } ``` Value property is changed from "long" to "string" and added private setter. Second constructor and m_initialize() method update this property. this will fix all issues related to Nonce. Again, thanks for report.

Closed Unassigned: [FeatureRequest] Start-PsFCIV -Online Return Object Information Upgrade [54]

September 2, 2014, 1:22 pm
$
0
0
Hi,

great Module, it has proven quite helpful so far. I have a minor feature request though:

Start-PsFCIV:
With the -online switch I receive the Hash Information as return objects. That's cool. What would be even better though, would be if that information contained the FileInfo object for the file. As it is I either have to remember the search root or change the values to contain the full path.
Using Accessors it would be fairly trivial to have Size, TimeStamp and Name actually return properties of the fileinfo object (so you can store all data in a single line).

Cheers and once again: Thanks.
Search

Commented Unassigned: [Feature request] Allow easy retrieval of local CA instance [67]

September 2, 2014, 1:41 pm
$
0
0
Hello,

First, I wanted to say you did a wonderful job with the 3.0 release!

Another (very minor) feature request from me... Most of the time (in my case anyway) you execute PSPKI commands from the CA server itself but still you always have to pass to (almost) every command an instance of the CA that you have to previously retrieve through either the machine name or the CA name.

I ended creating a small helper function that retrieve the CA object for the local server and thought it might be useful to others as well.

Even better than a helper function that gets the local instance (which would still be useful in some cases), it would be good that all cmdlets that expect a CertificationAuthority object as input consider no value as the local CA (and throw an exception if the local machine is not a CA of course).

Jordan
Comments: Hmm in our environment we are using dedicated accounts in order to manage the CAs that are only able to log on the CA servers themselves. And then we are using administrative workstations (without any Internet connection, office applications, etc.) and/or a jump server to secure the connection to the server. So in my case remote administration is not an option and is unwanted. Being able to support bulk operations on all CAs in a forest is very nice but in my environment this has never been needed for now. But I understand and respect your position on this.

Commented Unassigned: [Bug] OCSPRequest and nonce support [68]

September 2, 2014, 1:50 pm
$
0
0
Hi again,

It seems there was a regression between v2.8 and v3.0 on OCSP support for nonce values.
With v2.8, when I executed:
```
New-Object PKI.OCSP.OCSPRequest $cert, $true
```
I got in return `Nonce=$true` and `NonceValue=random_value` but now with 3.0 `Nonce` is still `$true` but `NonceValue` is now empty.

When looking at the source, `NonceValue` indeed does not seem to be initialized anywhere and the private m_encode method was simplified and does not generate a nonce anymore.

Jordan
Comments: You're very welcome. Does that second issue also cause the returned responses to show a `NonceMismatched` error? If yes, that would teach me to check the raw data before filing a bug to one of our partner which I believed had a bug in its implementation (non-Microsoft OCSP responder which always seemed to return a Nonce=0)... Since it is not a blocking point for me at the moment, I'd prefer to stick with the official release and not publish my own compiled sources... Do you already have an estimated roadmap for future releases of the module?

Commented Unassigned: [Feature request] Allow easy retrieval of local CA instance [67]

September 2, 2014, 10:28 pm
$
0
0
Hello,

First, I wanted to say you did a wonderful job with the 3.0 release!

Another (very minor) feature request from me... Most of the time (in my case anyway) you execute PSPKI commands from the CA server itself but still you always have to pass to (almost) every command an instance of the CA that you have to previously retrieve through either the machine name or the CA name.

I ended creating a small helper function that retrieve the CA object for the local server and thought it might be useful to others as well.

Even better than a helper function that gets the local instance (which would still be useful in some cases), it would be good that all cmdlets that expect a CertificationAuthority object as input consider no value as the local CA (and throw an exception if the local machine is not a CA of course).

Jordan
Comments: Just to add: Connect-CertificationAuthority without parameters attempts to search for local ADCS instance and fails if ADCS is not installed on the running computer. Doesn't this fit your requirement?

Commented Unassigned: [Bug] OCSPRequest and nonce support [68]

September 2, 2014, 11:42 pm
$
0
0
Hi again,

It seems there was a regression between v2.8 and v3.0 on OCSP support for nonce values.
With v2.8, when I executed:
```
New-Object PKI.OCSP.OCSPRequest $cert, $true
```
I got in return `Nonce=$true` and `NonceValue=random_value` but now with 3.0 `Nonce` is still `$true` but `NonceValue` is now empty.

When looking at the source, `NonceValue` indeed does not seem to be initialized anywhere and the private m_encode method was simplified and does not generate a nonce anymore.

Jordan
Comments: > Does that second issue also cause the returned responses to show a NonceMismatched error? yes. I don't remember (need to see old sources), but looks like, this never worked properly. > which always seemed to return a Nonce=0)... since there was no setter in the Value property it was always set to 0 when instantiating the object from raw value. > Do you already have an estimated roadmap for future releases of the module? currently it appears a 6 month schedule (Jan/Feb and Jul/Aug). I think, it is very large period, but not sure if I can afford shorter periods (release per quarter).

New Post: Get Pending Requests with SAN / DNS

September 3, 2014, 11:14 am
$
0
0
Just for fun ... I had a need to determine whether a cert was configured for SANs or not, so I came up with the following:
$CertData = (connect-ca $CertObject.IssuingCa | get-issuedrequest -RequestID $CertObject.RequestID | Receive-Certificate).GetRawCertData()
$TempCert = new-object system.security.cryptography.x509certificates.x509certificate2
$TempCert.Import($CertData)
$SANs = ($TempCert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "subject alternative name"}).format(1)
$SANs will contain the stings which you can operate on for further filtering, or what have you. For example
switch -wildcard ($SANs)
{
"other name*" {
    $SANs = $SANs.Substring(17)
    $SANitem = "UPN"
    return $SANitem # (you could return $SANs for the actual string of UPNs)
           }
"dns name*"   {
    $SANs = $SANs.substring(0,$SANs.length-1).Split("\`n")
    foreach($SANitem in $SANs){
        $SANitems = "DNS"
        $SANitem += $SANitem    
                            }
     return $SANitem
                      }
}
This code will not copy and paste and run for you. It has not been fully sanatized from how I use it in my automations. The code is intended to provide an in-use context only, not just a general usage syntax. :)
Viewing all 729 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>