Time at time I need to resolve Object Identifier (OID) to human-readable friendly name or get an OID if its OID is known. There are a lot of OIDs that are used in Internet PKI. In addition there may be custom OIDs that are defined (registered) within certain Active Directory forest. I can't remember all these OIDs and need a way to translate (or resolve) them. Even there are some online resources that provide a search in the OID tree. My favorite resource is: OID assignments from the top node. You can explore each tree and learn a bit more about OID structure. However these resources don't provide flexible way to automate this search. For example, I have OID = 1.3.6.1.5.5.7.3.1, but I don't know this OID friendly name. We can manually search this OID at such libraries and get the following output: id_kp_serverAuth. And if I need to get OCSP Signing OID. This task is harder. Fortunately there is a way to perform this translation in both directions: OID <—> Friendly Name.

Surprise, it's me again! Today I have finished network share management module for PowerShell. I want to thank Shay Levy who helped me with module-related stuff.

With this module you will be able to:

• List share (or shares) from local or from remote computers;
• Create new share with various settings;
• Remove share (actually this not remove folder itself, but stops sharing);
• Add/Set/Remove share permissions (note that share permissions and NTFS rights are not the same).

Here are module installation instructions:

This is a new cmdlet for Exchange Server 2010 SP1. The cmdlet has FileData parameter that accepts certificate raw data in DER encoded format (byte array). However you will encounter an issue in the case when you have a certificate encoded in Base64. This is not an issue for PFX files because Pkcs12 don't support Base64 encoding, but other certificate file types (CER/Pkcs7/SST) support this. And if you have certificate encoded in Base64 you will get error. Let's see why. Here is an example of Base64-encoded certificate:

Recently someone asked a question about how to remove unused certificate stores. GUI and .NET don't provide this functionality (within X509Store class) and you will have to use other things. New Quest AD PKI cmdlets adds some features for certificate stores:

• Review certificate store

Get-QADLocalCertificateStore -StoreLocation CurrentUser
Get-QADLocalCertificateStore -StoreLocation LocalMachine

these commands can be used to explore available certificate containers in CurrentUser and LocalMachine store location. In addition these commands can be used to retrieve certificates from local stores as shown:

Many systems administrators asks about dealing with CRLs (Certificate Revocation List) in Windows PowerShell. Some time ago the answer was — PowerShell can't natively work with CRLs because there are no any managed API (both in .NET and CryptoAPI COM), so you was unable to wrap these classes/interfaces to PowerShell. Hopefully there are 3rd party library in Mono (open-source .NET reference). However this just adds API and nothing else. For more complete PowerShell solution we need to get a cmdlet form. Fortunately Quest Software was first who developed cmdlets for PKI management. You can download them from the link: http://www.quest.com/powershell/activeroles-server.aspx.

Currently there are cmdlets for client certificate/CRL management only. You may ask: we have great certutil.exe, so why we need to search for native PowerShell solution? Yeah, certutil.exe is great cmd utility, but when we want to automate certain tasks, we will have to parse quite complex certutil output. By using PowerShell we can dramatically simplify this job by working with well-known objects.