Quantcast
Channel: Public Key Infrastructure PowerShell module
Viewing all 729 articles
Browse latest View live

New Post: Get Pending Requests with SAN / DNS

September 3, 2014, 11:51 am
$
0
0
Starting with PSPKI v3.0, this process become much easier:
$extension= get-ca $ca | Get-DatabaseRow -RowID $RequestID-Table Extension | ?{$_.ExtensionName -eq"2.5.29.17"}
if ($extension) {
     Write-Host Request with Id=$RequestID is configured for SAN
} esle {
     Write-Host Request with Id=$RequestID is NOT configured for SAN
}
And to view SAN extension values, the following technique could be used:
$base64= (get-ca $ca | Get-DatabaseRow -RowID $RequestID-Table Extension | ?{$_.ExtensionName -eq"2.5.29.17"}).ExtensionRawValue
$asn= New-Object Security.Cryptography.AsnEncodedData (,[Convert]::FromBase64String($base64))
$san= New-Object Security.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $asn, $false$san.AlternativeNames
We access Extension table and select extension raw value (which is base64-encoded), convert to a byte array and instantiate AsnEncodedData and then construct SAN extension object. There is AlternativeNames property which contains all SAN with their types, values and raw values. More details here: X509SubjectAlternativeNamesExtension Class
Search

Commented Unassigned: [Feature request] Allow easy retrieval of local CA instance [67]

September 3, 2014, 12:47 pm
$
0
0
Hello,

First, I wanted to say you did a wonderful job with the 3.0 release!

Another (very minor) feature request from me... Most of the time (in my case anyway) you execute PSPKI commands from the CA server itself but still you always have to pass to (almost) every command an instance of the CA that you have to previously retrieve through either the machine name or the CA name.

I ended creating a small helper function that retrieve the CA object for the local server and thought it might be useful to others as well.

Even better than a helper function that gets the local instance (which would still be useful in some cases), it would be good that all cmdlets that expect a CertificationAuthority object as input consider no value as the local CA (and throw an exception if the local machine is not a CA of course).

Jordan
Comments: Erf... didn't read documentation enough once again. Yes, Connect-CA without parameters is clearly enough as the helper function I described... The issue can be closed then. Thank you and sorry :)

Closed Unassigned: [Feature request] Allow easy retrieval of local CA instance [67]

September 3, 2014, 1:31 pm
$
0
0
Hello,

First, I wanted to say you did a wonderful job with the 3.0 release!

Another (very minor) feature request from me... Most of the time (in my case anyway) you execute PSPKI commands from the CA server itself but still you always have to pass to (almost) every command an instance of the CA that you have to previously retrieve through either the machine name or the CA name.

I ended creating a small helper function that retrieve the CA object for the local server and thought it might be useful to others as well.

Even better than a helper function that gets the local instance (which would still be useful in some cases), it would be good that all cmdlets that expect a CertificationAuthority object as input consider no value as the local CA (and throw an exception if the local machine is not a CA of course).

Jordan

New Post: Get Pending Requests with SAN / DNS

September 3, 2014, 5:01 pm
$
0
0
Hi Camelot,

I just tried your last example. Any idea why the result would be truncated? I am missing the last caracter of every domain name returned:

This is what I get:
DNS Name=test.example.co, DNS Name=test2.example.co
But I would expect:
DNS Name=test.example.com, DNS Name=test2.example.com
Thanks!

Created Unassigned: ASN.1 -- signed integers are incorrectly encoded and decoded [69]

September 4, 2014, 9:53 am
$
0
0
ASN.1 -- signed integers are incorrectly encoded and decoded. Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/bb540806(v=vs.85).aspx

New Post: Parsing Certificate Signing Request (CSR)

September 9, 2014, 8:00 am
$
0
0
When parsing CSR with PSPKI, How can i retrieve the "Key Id Hash(sha1): ....."?
I can retrive it using 'certutil' tool, however, I am looking if a PSPKI solution exist.

Thanks,

New Post: Parsing Certificate Signing Request (CSR)

September 9, 2014, 8:03 am
$
0
0
There is a Subject Key Identifier extension (in the Extensions property) in the request. This extension contains KeyId value.

New Post: Parsing Certificate Signing Request (CSR)

September 9, 2014, 9:04 am
$
0
0
Perfect.
Thanks for the quick reply.
Search

New Post: Thank you - Built SHA-1/2 test function using your code

September 17, 2014, 11:46 am

New Post: Thank you - Built SHA-1/2 test function using your code

September 17, 2014, 11:50 am
$
0
0
You can get rid of C# signature, because it is not necessary for your task.

New Post: Thank you - Built SHA-1/2 test function using your code

September 17, 2014, 11:59 am
$
0
0
Oh, thank you. Didn't quite understand what that part actually did, so I was erring on the side of caution. Updated the gist accordingly.

New Post: Thank you - Built SHA-1/2 test function using your code

September 17, 2014, 12:13 pm
$
0
0
This part was used to output the object that contains information about server certificate and main properties.

BTW, I looked at your items on GitHub and found one item: https://gist.github.com/derekmurawsky/7758750
are you aware that OpenSSL is not required for that? Certutil is able to merge separate PKCS#1 private key file and certificate to a PKCS#12/PFX file. This module contains a command which wraps this: https://pspki.codeplex.com/wikipage?title=Convert-PemToPfx
More details here:
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=45
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=46

New Post: Thank you - Built SHA-1/2 test function using your code

September 17, 2014, 12:53 pm
$
0
0
I was not aware of that, no. Fantastic. now I don't need to muck about with OpenSSL anymore! Really glad I found your package. Much appreciated.
BTW, have you considered using Chocolatey to distribute your code? I maintain a few packages and use it extensively to manage many of the packages in my infrastructure.
Thanks again.

New Post: Thank you - Built SHA-1/2 test function using your code

September 17, 2014, 10:31 pm
$
0
0
BTW, have you considered using Chocolatey to distribute your code?
Currently, CodePlex is the only valid distribution point for this project and I don't have plans to move somewhere (to GitHub or wherever else) or use additional distribution points. Until there will be a use case.

Created Unassigned: [Featire request] Set-CertificateSubject [70]

October 1, 2014, 3:41 am
$
0
0
Hello,

I'm not even sure it's technically possible but if it is, I would really like an equivalent of the new Set-certificateExtension but that would be able to change the subject name of a pending request.

I have often the case where subscribers do not respect our naming conventions when submitting requests and so I have to reject the request, explain once more the conventions and wait for the subscriber to resubmit it. With such a feature, I could simply fix the subject myself and directly approve it.

Jordan
Search

Commented Unassigned: [Featire request] Set-CertificateSubject [70]

October 1, 2014, 5:57 am
$
0
0
Hello,

I'm not even sure it's technically possible but if it is, I would really like an equivalent of the new Set-certificateExtension but that would be able to change the subject name of a pending request.

I have often the case where subscribers do not respect our naming conventions when submitting requests and so I have to reject the request, explain once more the conventions and wait for the subscriber to resubmit it. With such a feature, I could simply fix the subject myself and directly approve it.

Jordan
Comments: It is impossible to override Subject field for the signed request.

Closed Unassigned: [Featire request] Set-CertificateSubject [70]

October 1, 2014, 5:57 am
$
0
0
Hello,

I'm not even sure it's technically possible but if it is, I would really like an equivalent of the new Set-certificateExtension but that would be able to change the subject name of a pending request.

I have often the case where subscribers do not respect our naming conventions when submitting requests and so I have to reject the request, explain once more the conventions and wait for the subscriber to resubmit it. With such a feature, I could simply fix the subject myself and directly approve it.

Jordan

New Post: CR - Carriage Return in RawCertificate

October 1, 2014, 2:32 pm
$
0
0
I am attempting to create a script that exports a cert to a .cer file but it seems that
"Get-IssuedRequest -Property "RawCertificate" is adding CR after the RawCertificate data.
I need help removing the CR or improving the process.

I am using the snippet below to get the RawCertificate and create a file.
I can build a .cer file that opens correctly but it is not seen as a valid cert on my load balancing device. Openssl commands used to verify the cert fail as well unless I remove the CR.
#get ALL certs created today and download to local folder
write-host "Copying Today's Approved Certs to C:\temp\ssl\upload\" -ForegroundColor Yellow
$approvedcerts = Get-CertificationAuthority -Name ca-i03 | Get-IssuedRequest -Property "RawCertificate" -Filter "NotBefore -ge $(Get-Date)" 

foreach ($approvedcert in $approvedcerts)
{

  #building Filename
  $certexpyear = $approvedcert.NotAfter.Year
  $filename = $approvedcert.CommonName
  $filename = $filename -replace ".bcbsfl.com" 
  $filename = $filename + '_I_' +$certexpyear + '.cer'
  $filename
    
  New-Item    c:\temp\ssl\upload\$filename  -type file
  Add-Content c:\temp\ssl\upload\$filename "-----BEGIN CERTIFICATE-----"
    
  $approvedcert.RawCertificate | Add-Content c:\temp\ssl\upload\$filename
  
  Add-Content c:\temp\ssl\upload\$filename "-----END CERTIFICATE-----"    

}

New Post: CR - Carriage Return in RawCertificate

October 1, 2014, 10:09 pm
$
0
0
It seems that 3rd party tools aren't very smart with CR character. You can easily work around this issue by using the following line:
$approvedcert.RawCertificate.TrimEnd() | Add-Content c:\temp\ssl\upload\$filename-Encoding ASCII
In addition, I would recommend to save the file by using ASCII encoding, because not all tools support Unicode encoding for base64-encoded files (Add-Content uses Unicode by default).

New Post: CR - Carriage Return in RawCertificate

October 2, 2014, 6:45 am
$
0
0
ASCII encoding the 'TrimEnd' change did the trick! I didn't need to change the encoding when I saved the file but I will remember that if issues like that ever come up again.

Thank you so much!
Viewing all 729 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>