A time ago, Windows PKI team posted an article about a tool that allows you to check web server SSL certificate: Verifying The SSL Certificate Expiration with a tool. Unfortunately, the download link is broken. I have this tool and uploaded it to my weblog: VerifySSLCertificate.

• ZIP archive SHA1 hash: C633A3DC3E8A3AA6BDD714EABB925429076A160A
• Executable SHA1 hash: A13CE031F5C1331785E87B62D1464C6260549EC0

The tool is very good, but what if you want to run the test against a bulk of servers? Any sort of automation and batching means some PowerShell stuff :). To provide administrators with such tool I wrote a PowerShell script, where you can test web server SSL certificate and it's status. You can export required fields to XML or CSV for future examination/audit. Let's go:

Hi there! PowerShell Crypto Guy is again here!

Today I've finished SetupCA.ps1 script testing and I'm ready to share it with you. Of course this is not the first attempt to install CA role from cmdline, there is already SetupCA.vbs script written by Windows PKI team. To be honest, this is not the first PowerShell script for CA installation from cmdline. The first attempt was made by Hasain Alshakarti — http://secadmins.com/?dl_id=3. However this script just illustrates basic API functionality with ability to specify CA name, CA certificate validity and CA type. There is no error handling at all, even whether the CA can be installed on the computer.

Hello, PowerShell Crypto Guy is here again. A time ago I went through one article: http://www.solution-soft.com/whitepapers/Hyper-V/TimeMachine_Hyper-V_guide.htm which is pretty interesting. However it complains that a related TechNet article Configuring Certificates for Virtual Machine Connection won't work due of the following limitations:

• PowerShell or DOS cannot seem to create a Qword value.
• The VMMS service requires two critical certificates Extension Fields These are:
  Field= “Key Usage” Value = “Key Encipherment, Data Encipherment (30)”
  Field= “1.3.6.1.4.1.311.62.1.1.1 Value = “02 01 04"
  These fields are present in the local host certificates created locally by VMMS. As of the writing of this paper & working with Microsoft support we have been unable to create a certificate with these values using any other means.

Fortunately both statements are not correct:

Windows PKI team always knows how to make our live harder :). Yesterday Shay Levy pointed me to one interesting thread: http://www.powergui.org/thread.jspa?messageID=47514

Basic intro: this attribute is used by Credential Roaming Service. By default if user uses roaming profile, credentials (and personal certificates) don’t roam! This means that user can use the same profile on other computers, but will not able to use certificates (i.e. decrypt files, mails, sign documents and so on). Though if certificate autoenrollment is enabled, user will enroll new certificates. But they will remain on that computer only. The one possible way to work around this issue is to use smart cards. But this is quite expensive solution. With Credential Roaming Service all certificates will roam with user. However this is not pretty secure solution, because domain administrators will have an access to user private keys. However at certain point domain users must trust administrators, so this solution is enough for many scenarios with roaming profiles.

Continuing my previous post I want to discuss about certificate installation. As you know, certificate erollment generally consist of several steps:

• Certificate Request generation;
• Certificate Request submission to Certification Authority;
• Certificate Request response (certificate signed by CA) installation;

In previous post I have demonstrated how certificate request can be created using native PowerShell capabilities. While CA server cannot be contacted directly from managed client, you will have to manually transfer and submit certificate to Certification Authority.

When you create Certificate Request, it is placed in Certificate Enrollment Requests container (in Certificates snap-in). This request waits for signed certificate public part. When certificate public part is signed by external authority, signed certificate must be installed to local store. Installation process consist of two steps: