Quantcast
Channel: Public Key Infrastructure PowerShell module
Viewing all 729 articles
Browse latest View live

Commented Unassigned: import-module pspki in visual studio 2013 for asp.net application [82]

July 12, 2015, 2:46 am
$
0
0
Import-module pspki doesn't import pspki module and hence I am not able to use Get-CertificateRequest command in a .net application (to be specific in a asp.net code behind page which is in C#). Can someone please guide me how do I use the pspki module on a c# page?
Comments: I don't experience in using the module in ASP.NET applications, but you can use PKI.Core.dll .NET library in your application. In general, the module is a wrapper for PKI.Core.dll library. The library exposes a lot of public APIs. In order to work with certificate requests, you can use X509CertificateRequest class: http://pkix2.sysadmins.lv/library/html/T_System_Security_Cryptography_X509CertificateRequests_X509CertificateRequest.htm which supports both, PKCS#10 and PKCS#7 certificate requests.
Search

Updated Wiki: Roadmap

July 12, 2015, 2:49 am
$
0
0

Project Roadmap

This page contains a roadmap for the PowerShell PKI module project. Roadmap items are placed in a no paticular order.

PowerShell

Underlying C# library (PKI.Core.dll)

ASN.1 type system

  • Move ASN.1 to a separate assembly. It shall be a standalone assembly to work with primitive ASN.1 types;
  • Create a separate class for each ASN.1 primitive type;
  • Possibly deprecate a bunch of static methods in favor of new classes. Or move them to a separate class;
  • Remove all unmanaged code from ASN.1 assembly;
  • Create ASN.1 tree generator;

Cryptography class extensions:

  • Replace unmanaged decoders for CRL, CTL with managed implementations;
  • Provide certificate request generation functions;
  • Provide Certificate Trust List generation functions;
  • Provide Certificate Revocation List generation functions;
  • Add certificate store-attached property support;

OCSP

  • Implement OCSPv2 (as per RFC6960) client support;

New Post: Possible issue with Get-CertificationAuthority on remote CA

July 14, 2015, 11:06 am
$
0
0
Hello

Sometimes when I run Get-CertificationAuthority is takes a minutes to complete (other times it comes back quicker)

when this happens I sometimes see the

IsAccessible false
RegistryOnly True
ServiceStatus Running

If I then logon to the remote CA and run the same command I see

IsAccessible true
RegistryOnly True
ServiceStatus Running

If I use the GUI admin tools (e.g. CertSrv) on the local CA and retarget the remote CA the remote CA responds in a timely fashion and I can see its certs etc.

So I am wondering what types of issued could be causing Get-CertificationAuthority to sometimes take minutes to return and believe the remote CA is IsAccessible = false

I assume it may be DCOM issues or perhaps the DCOM method code used to get the CA status e.g. IsAccessible

Are there any registry settings I can change to make this communication faster/more reliable or could there be the underlying method (I am assuming a COM/DCOM method) which is a bit flakey against CA on other side of a WAN

It looks like you have created your own types and the type in question here is

PKI.CertificateServices.CertificateAuthority::GetCA("Name",$Name)

Any advice most welcome, as I need to connect to the remote CA to check various things.

Thanks again
Ernie

New Post: Possible issue with Get-CertificationAuthority on remote CA

July 15, 2015, 12:01 am
$
0
0
Hello Again

I ran the same command this morning Get-CertificationAuthority early in the morning when the Network is quite and it responded in a timely fashion and showed IsAccessible True

Therefore I am wondering if the issue is DCOM (assuming it is DCOM) is having issued when WAN is busy and can I do any thing on my Windows Servers (or within PowerShell script) to make the underlying mechanisms used by Get-CertificationAuthority more reliable/responsive over a WAN.

Thank you
Ernie

New Post: Possible issue with Get-CertificationAuthority on remote CA

July 15, 2015, 6:33 am
$
0
0
Yes, the code internally attempts to contact CertSvc service over DCOM and depending on network connectivity/speed/load may consume some time. If the connection succeeds, then IsAccessible property is set to True, otherwise (when underlying connection times out) False. As the result, there is nothing you can do with your machines, as it is up to network connectivity and latency.

New Post: Possible issue with Get-CertificationAuthority on remote CA

July 20, 2015, 11:51 pm

New Post: OCSPRequest throws exception when certificate's algorithm is MD5

August 13, 2015, 2:29 am
$
0
0
MSCOMCTL.OCX

This file's certificate of counter signer has been signed with MD5 algorithm and when I try to call OCSPRequest, the exception occurs with the message "Issuer for the speified certificate not found."

I extracted certificate(X509Certificate2) of counter signer by refering this link. 
var signedCms = new SignedCms();
signedCms.Decode(vData);

foreach (var signerInfo in signedCms.SignerInfos)
{
    foreach (var unsignedAttribute in signerInfo.UnsignedAttributes)
    {
        if (unsignedAttribute.Oid.Value != szOID_RSA_counterSign) continue;
        foreach (var counterSignInfo in signerInfo.CounterSignerInfos)
        {
            counterCertificate = counterSignInfo.Certificate;   // Certificate of counter signer
        }
    }
}
I looked into the source code and found that CertID::m_initialize(X509Certificate2 cert) in PKI.OCSP.CertID.cs regards that the algorithm is always SHA1. I think this made exception but not sure.

I used current version of module (3.1.0) and the version of the source code I looked into is 3.1.0, too.

What should I do?

New Post: OCSPRequest throws exception when certificate's algorithm is MD5

August 13, 2015, 11:38 am
$
0
0
The error is raised because issuer certificate for the signer certificate is not found. CertID structure requires some extra information that exists only in the issuer certificate. Internally, the CertID constructor attempts to build certificate chain to find issuer certificate and collect required data.

as a workaround, you need to install issuer certificate to the Intermediate CAs container in certificate store.
Search

Created Unassigned: CRL revocation check bug [85]

August 16, 2015, 10:45 am
$
0
0
Hi,

I tested the certificate at https://revoked.grc.com and https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html to see if they were revoked (they should be) in their CRL revocation lists like this:

byte[] crlRawData = File.ReadAllBytes(...);
X509Certificate2 cert = new X509Certificate2(File.ReadAllBytes(...));

X509CRL2 crl = new X509CRL2(crlRawData);
X509CRLEntry bla = crl.RevokedCertificates[cert.SerialNumber];

However, bla == null, so they are reported as NOT revoked.

I took a look inside X509CRL2.cs in the get_revokedcertificates() method, and it seems rawBytes contains the information in the wrong endianess.

I edited the code to be like this:
Byte[] rawBytes = new Byte[CRLEntry.SerialNumber.cbData];
Marshal.Copy(CRLEntry.SerialNumber.pbData, rawBytes, 0, rawBytes.Length);

//This is new
rawBytes = rawBytes.Reverse().ToArray();

String serialNumberStr = rawBytes.Aggregate("", (current, b) => current + b.ToString("x2"));

And now the serial number is correct and the two certificates are reported as revoked.

New Post: OCSPRequest throws exception when certificate's algorithm is MD5

August 16, 2015, 10:43 pm
$
0
0
OK, I installed issuer certificate and request instance has successfully created.

But now I'm receiving unsatisfying response. I got following HttpHeaders and ResponseStatus is "Unauthorized". The rest properties are filled with default value like "false" or "null", etc...
-       response    {PKI.OCSP.OCSPResponse} PKI.OCSP.OCSPResponse
 +      HttpHeaders {content-transfer-encoding: binary
Proxy-Connection: keep-alive
Accept-Ranges: none
Content-Length: 5
Content-Type: application/ocsp-response
Date: Mon, 17 Aug 2015 05:34:54 GMT
Server: nginx/1.4.7
}   System.Net.WebHeaderCollection
Did my request delivered with no mistakes? My code was like below.
                try
                {
                    OCSPRequest request = new OCSPRequest(_mainCert, new Uri(url));
                    OCSPResponse response = request.SendRequest();
                    switch (response.Responses[0].CertStatus)
                    {
                        case CertificateStatus.Good:
                            AddCertNote("Available.");
                            return true;
                        case CertificateStatus.Revoked:
                            AddCertNote("Not avaliable.");
                            break;
                    }
                }
                catch (System.Exception ex)
                {

                }
Thank you for your help, @Camelot.

New Post: OCSPRequest throws exception when certificate's algorithm is MD5

August 23, 2015, 1:32 am
$
0
0
Unauthorized response status means that this OCSP server is not authoritative for this particular issuer and have no information about revocation status.

Commented Unassigned: CRL revocation check bug [85]

August 23, 2015, 1:35 am
$
0
0
Hi,

I tested the certificate at https://revoked.grc.com and https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html to see if they were revoked (they should be) in their CRL revocation lists like this:

byte[] crlRawData = File.ReadAllBytes(...);
X509Certificate2 cert = new X509Certificate2(File.ReadAllBytes(...));

X509CRL2 crl = new X509CRL2(crlRawData);
X509CRLEntry bla = crl.RevokedCertificates[cert.SerialNumber];

However, bla == null, so they are reported as NOT revoked.

I took a look inside X509CRL2.cs in the get_revokedcertificates() method, and it seems rawBytes contains the information in the wrong endianess.

I edited the code to be like this:
Byte[] rawBytes = new Byte[CRLEntry.SerialNumber.cbData];
Marshal.Copy(CRLEntry.SerialNumber.pbData, rawBytes, 0, rawBytes.Length);

//This is new
rawBytes = rawBytes.Reverse().ToArray();

String serialNumberStr = rawBytes.Aggregate("", (current, b) => current + b.ToString("x2"));

And now the serial number is correct and the two certificates are reported as revoked.
Comments: I'll take a look into this.

New Post: OCSPRequest throws exception when certificate's algorithm is MD5

August 25, 2015, 10:32 pm
$
0
0
That's strange. I checked its Authority Info Access points "http://ocsp.sign.com" and made new OCSPRequest with X509Certificate2 and URI.
Would you mind if I ask you to make OCSPRequest with counter signer's certificate of the file(MSCOMCTL.OCX)? I think I missed something...

Created Unassigned: Get-EnterprisePKIHealthStatus Error [86]

September 2, 2015, 1:32 pm
$
0
0
When I run Get-Ca | Get-EnterprisePKIHealthStatus -Debug -Verbose I receive the attached error. I'm running this command from an elevated PowerShell session on Windows 8.1 Enterprise. My PKI consists of an offline root ca and an enterprise sub-ca

New Post: OCSPRequest throws exception when certificate's algorithm is MD5

September 6, 2015, 12:37 am
$
0
0
I checked AIA extension of signing and counter-signer certificates in the MSCOMCTL.OCX file signature. Neither certificate contains OCSP URLs. Where did you get it?
Search

New Post: Import-Module pspki take long time as system account

September 8, 2015, 10:42 am
$
0
0
Hi,
if I import as SYSTEM account the pspki module it toke over a minute. I can reproduce that on server 2012 R2. As a user it works fine in a few seconds. Any idea? With "procmon" you can see that powershell constantly read some registry keys all the time. At the eventlog I can't find anything. Do you know a way to debug the import-module process?

Thanks
Paul

New Post: Import-Module pspki take long time as system account

September 8, 2015, 10:51 am
$
0
0
I think, the delay is caused by a script signature validation process.

New Post: Import-Module pspki take long time as system account

September 8, 2015, 11:10 am
$
0
0
Hi Camelot,
do you know how to disable that?

New Post: Import-Module pspki take long time as system account

September 8, 2015, 12:12 pm
$
0
0
No, it is impossible to disable digital signature validation procedure.

New Post: Import-Module pspki take long time as system account

September 8, 2015, 12:29 pm
$
0
0
What can I do to speed up that process? As a user it is no problem. On a server 2008 R2 it is also no problem as System account. Any idea?
Viewing all 729 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>