Today I want to present another useful CryptoAPI functions to use when working with PFX (PKCS#12) certificates.

1. Determine if the BLOB is PFX without having to pass a password;
2. Test PFX password.

Of course, you can try to use appropriate X509Certificate2 class constructor, but this approach is faster and do not require key import in cryptographic provider and other actions performed by X509Certificate2 constructor. This functionality is implemented in two CryptoAPI functions:

1. PFXIsPFXBlob
2. PFXVerifyPassword

And here is complete solution:

Point Of Interest

Yesterday I asked in Twitter, who can convert byte array to a formatted hex string in PowerShell in 5 minutes. I got one solution with the reference to Format-Hex function. Then I asked opposite question: can you convert formatted hex dump with address and ASCII panes back to byte array in PowerShell in 5 minutes? Didn’t get any response.

This subject is interesting and sometimes is necessary. Due to my specialization (cryptography), I have to deal with these formats often. And not only hex, Base64 with and without headers as well.

Common formatting examples

To make the subject clear, I provide some formatted examples:

Yesterday I released another version of PowerShell PKI module v3.1.

Though, this release is not that big like v3.0. Only 1 (one!) new command is added (Get-EnterprisePKIHealthStatus) and various bug fixes (as usually). On the other hand it includes very important things which are hidden behind the scene.

The project is growing and I have to battle hard with poor design decisions I made previously. Of course, I could break everything and make it as per all guidelines. However, it is too late, 3000 downloads for the past 7 months is not a joke and I can’t simply break it.

Next sections will cover some development details, so you can scroll down to the end of post to get the right link :)

Hello again!

The problem

Recently I had a dialog with Mark B. Cooper when he reported a weird issue with Install-ADCSCertificationAuthority cmdlet. To repro this issue, prepare a new server without any network adapter (even without a loopback adapter) and run Install-AdcsCertificationAuthority cmdlet without parameters (implies default settings) and you will get:

PS C:\Users\Administrator> Install-AdcsCertificationAuthority

Confirm
Are you sure you want to perform this action?
Performing the operation "Install-AdcsCertificationAuthority" on target "WIN-F6MCGE586LQ".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error:  The
network location cannot be reached. For information about network troubleshooting, see Windows Help. 0x800704cf
(WIN32: 1231 ERROR_NETWORK_UNREACHABLE)
At line:1 char:1
+ Install-AdcsCertificationAuthority
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Install-AdcsCertificationAuthority], CertificationAuthoritySetupE
   xception
    + FullyQualifiedErrorId : Install,Microsoft.CertificateServices.Deployment.Commands.CA.InstallADCSCertificationAut
   hority

PS C:\Users\Administrator>

Hello again, PowerShell CryptoGuy is back!

I was impressed how many feedback I received on my proof of concept version of Enterprise PKI health verifier: Enterprise PKI (pkiview.msc) PowerShell Edition (PoC). I carefully reviewed each feedback and implemented almost all requests.