Hi S-1-1-0! Today I've released a new version of my PowerShell PKI module.

New commands

Unlike previous versions, this version do not introduce any new commands.

Existing code changes

Instead, I take a time to make the module more consistent. As a part of this work I revisited all help topics. Now all help content is more accurate and consistent. Also I've added additional examples (where I considered this as important) and clarified existing parts.

After discussions with Windows PKI team, I was forced to change the things in Add-ExtensionList and Remove-ExtensionList. CAExtension and UserExtension parameters were renamed to EnabledExtension and OfflineExtension respectively. Parameter descriptions can be found in built-in and online help topics. ExtensionList object properties are renamed accordingly to make them consistent with parameters.

Hello crypto world! One my colleague asked me about how to get certificate purposes property. Here is a little intro.

Certificate purposes are (mainly) limited by Enhanced Key Usages extension:

That is true. In certain cases it is reasonable to limit certificate purposes to a subset of purposes that are allowed in EKU extension. For example, in many and many CAs are allowed for any purpose (All Application Policies) and you can limit it's purposes to a limited set:

Today I will discuss about how to register custom object identifier on a local computer. Why you need this? .NET Oid class which can resolve many common object identifiers to their friendly names and vice versa. However, not all OIDs are registered there. For example, RDS (Remote Desktop Services, former Terminal Services) team introduces special OID for RDP-SSL enhanced key usage with OID=1.3.6.1.4.1.311.54.1.2:

If you have Active Directory domain and at least one Enterprise CA, you can define this OID in Active Directory (by editing certificate template). But what if you don't have Active Directory or internal Enterprise CA? Then PowerShell and CryptoAPI is the answer here!

In previous post we talked about digital signatures and how we can verify them in PowerShell (RSA signatures). I promised to continue this diving with unmanaged stuff.

As we already discussed, CryptoAPI has unmanaged structure CERT_SIGNED_CONTENT_INFO which represents a signed info, including actual data to be signed, algorithm identifier and signature value. In order to deal with this structure we need to use some encoders and decoders. In the decoding process a ASN.1-encoded raw byte array is converted to a structure and in encoding process, a structure is converted to a ASN.1-encoded byte array. CryptoAPI contains 2 (actually 4) functions for ASN.1 encoding/decoding:

Hi folks!

A time ago I wrote a high-level description about the signatures in Digital signatures blog post. And today I want to demonstrate how this works in a real world.

In a real world there are too many signature types, including RSA signatures (plain), Authenticode, XML, Document-specific (MS Word, Adobe PDF, etc.). The simplest signature type is plain RSA signatures. This type of signatures is widely used in PKI (certificates, CRLs, signed BLOBs and so on). In ASN.1 modules (as well as in unmanaged structures), signed BLOB is written like this: