Posts on this page:

An updated version of the script is published in this blog post: How to convert PEM to PFX in PowerShell (revisited)

Hello again. Continuing the previous post: How to join certificate and private key to a PKCS#12(PFX) file I'll talk a bit more about certutil.exe and openssl.exe private key formats and it differences. Let's start:

  • OpenSSL is big-endian by a nature, Microsoft CryptoAPI — little-endian;
  • OpenSSL uses ASN.1 structures, but Microsoft CryptoAPI — unmanaged C++-like structures.

Here is a structure type definition for PKCS#1 private key structure:

RSAPrivateKey ::= SEQUENCE {
	version Version,
	modulus INTEGER, -- n
	publicExponent INTEGER, -- e
	privateExponent INTEGER, -- d
	prime1 INTEGER, -- p
	prime2 INTEGER, -- q
	exponent1 INTEGER, -- d mod (p-1)
	exponent2 INTEGER, -- d mod (q-1)
	coefficient INTEGER, -- (inverse of q) mod p
	otherPrimeInfos OtherPrimeInfos OPTIONAL

Read more →

Some time ago one guy asked me for a script that will do the following:

  1. Extracts all archived keys from CA database;
  2. decrypts these keys (by using key recovery agent certificate)
  3. saves decrypted keys in a PFX (PKCS#12) format;
  4. creates simple log files: one with serial numbers that were decrypted successfully and another were decryption process was unsuccessful.

This scenario is common when an organization decided to move to a new PKI with new CA database. However it is highly recommended to move archived private keys from old to a new CA server. This is because even if new PKI is used, there might be a lot of encrypted stuff (encrypted files or outlook mails). And if user looses his/her encryption private keys he/she still should have an access to encrypted content. As the result you should move archived keys to a new CA for key recovery purposes only.

Read more →

Update 15.03.2011: previous code sometime crashed due of StringBuilder buffer overflow. The code is updated to correctly size buffer.

I just wrote a little script that retrieves all CSPs (cryptographic service provider) that are registered on the system. It could be very useful when you are dealing with offline certificate requests via certreq.exe utility and other purposes. This script demonstrates some p/invoke techniques in Windows PowerShell. Code routine I got from corresponding CryptoAPI function MSDN pages: CryptEnumProviders and CryptEnumProviderTypes. Even though examples are in C++ it is not difficult to translate it to your .NET language (C#, PowerShell, etc). Here is a code:

Read more →

Time at time I need to resolve Object Identifier (OID) to human-readable friendly name or get an OID if its OID is known. There are a lot of OIDs that are used in Internet PKI. In addition there may be custom OIDs that are defined (registered) within certain Active Directory forest. I can't remember all these OIDs and need a way to translate (or resolve) them. Even there are some online resources that provide a search in the OID tree. My favorite resource is: OID assignments from the top node. You can explore each tree and learn a bit more about OID structure. However these resources don't provide flexible way to automate this search. For example, I have OID =, but I don't know this OID friendly name. We can manually search this OID at such libraries and get the following output: id_kp_serverAuth. And if I need to get OCSP Signing OID. This task is harder. Fortunately there is a way to perform this translation in both directions: OID <—> Friendly Name.

Read more →

If you're looking for Enrollment Web Pages (hereinafter EWP) installation (or removal) without GUI — you're in correct place. At first I need to answer, why it necessary to script EWP installation. This may be very useful for CA administrator assistants, for example. In general, CA administrator will have to write a long step-by-step guide to install certain role. But using scripts, CA administrator may tell: "Take the script, run it with the XYZ parameters and get PROFIT" or something like this. It is common to script all (as possible) routine operations in the case of disaster recovery and so on, because it takes less time and easy to document. Feel free to think if CA role can be installed from the script — this is possible. In next post I'll show PowerShell code that will do that. But now we'll talk about web enrollment.

As a start stage we need to find appropriate API and here it is: ICertSrvSetup. This CryptoAPI COM interface is the base interface for CA and/or EWP role installation. The following code will instantiate COM object:

Read more →