Hello S-1-1-0!

Recently I noticed that PowerShell in Windows Server 2012 R2 ships two new cmdlets: Backup-CARoleService and Restore-CARoleService which are used to backup and restore CA database and CA keys. Today I want to talk about CryptoAPI functions utilization to backup CA database in PowerShell.

Backup step-by-step guide

Although, backup process isn’t looking very complex, however CryptoAPI implements a number of detailed (low-level) functions which must be called in a certain sequence. Here is a copy of the article that explains the correct sequence:

In this post I will discuss about non-standard string comparison in Certification Authority database queries. This post will focus on my PowerShell PKI module and queries in the CA database. The module contains the following commands that support CA database queries:

• Get-FailedRequest
• Get-IssuedRequest
• Get-PendingRequest
• Get-RevokedRequest

Request filters support the following comparison (seek) operators:

Hello S-1-1-0, Crypto Guy is on a failboat board again.

Sometimes it is useful to export a certificate template to a file for future use. For example:

• for custom certificate template backup;
• if you have multiple AD forests, you can transfer configured certificate templates between forests;
• share custom certificate template with partners;
• share certificate template when you are making a online learning session;
• etc..

Till Windows Server 2008 R2 release there was no supported way to export (or serialize) certificate template and move it out of band between two forests. With Windows Server 2008 R2 there was the only publically described way to transfer templates between two forests: AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2. This whitepaper includes a PKISync.ps1 script (the script was written by a man who first time faced PowerShell, he-he) which copies certificate templates along other AD data between two forests. The downside of this approach is that it requires a two-way trust between forests and performs data transfer online.

Recently I wrote a sample function which allows security administrators to dump trusted root certificates from Microsoft web site.

Microsoft maintains a number of predefined trusted root CAs which are members of Microsoft Root Certificate Program. Here are several useful links on TechNet wiki:

• Introduction to The Microsoft Root Certificate-Program
• Microsoft Root Certificate Program
• Windows Root Certificate Program Members
• Windows Root Certificate Program

In addition, update mechanism is described here: KB931125.

Generally speaking, Microsoft maintains a special certificate trust list (CTL) which is located here. This CTL contains hashes and extended properties for each member of the root certificate program. Also, each certificate is downloadable at:

Hello S-1-1-0!

In previous post I posted about new PowerShell PKI module release and notable enhancements. Today I’ll talk about less notable and obvious, but useful enhancements.

PKCS#10 certificate request support

I made a support for X.509 certificate requests formed in a PKCS#10 format. The only (currently) class is X509CertificateRequest class which is developed in a similar manner as X509Certificate2. Let’s take a spherical horse in a vacuum sample certificate request which was generated by using certreq.exe tool: