Posts on this page:
Hello folks, PowerShell Crypto Guy is again on the board! Today I want to talk about a useful OCSP Client Tool which is available in my PowerShell PKI module.
A time ago I started Online Responder deployment and was faced the problem that there are no good tools to test it's configuration and how it works. PKIView.msc and certutil.exe just can tell whether the OCSP is functional or not. No details about request and/or response details. After a little research I found pretty useful and nice tool called Ascertia OCSP Client Tool. Actually this is a great tool with a lot of powerful features, including raw ASN.1 traces and so on. I thought that it is worth to buy the tool and contacted their sellers. Holy ****, the price killed me. They asked about 1,800 (1.8k) euros for a single license! Even though the tool is very cool, I wasn't ready to spend such money for it. But, if you manage Lorne Greene or Johnny Cash, then Ascertia's product may be for you.
Today I'll describe some interesting features implemented in X509CRL2 class. This class is available within my PowerShell PKI module only (is not a part of .NET Framework).
A time ago a came into an issue with CRL copy to remote web server.
My internal CA publish CRLs to a local drive and custom script copies it to all required distribution points (internal and external web servers). And one day certificate validation failed due to Revocation Offline error. I've checked that CRL is correctly formed, is time valid and so on. But certificate chaining engine still reported mentioned error. Detailed investigation showed that unexpected network-level error occurred during file copy over internet and CRL signature become invalid. Since CRL object contains only signature value without signer certificate, normally it is impossible to verify whether the CRL signature is valid. In order to verify signature, you must obtain signer certificate (issuing CA certificate) and use custom steps to verify the signature.
I'm glad to announce that another build of my PowerShell PKI module is released! This release introduces new vision of the module evolution. Since now, it is not only a set of PowerShell commands, but the set of .NET APIs that can be used to extend existing commands. Let's go with details.
Due to the fact that Windows PKI team decided to name their own module in Windows Server 8 exactly as my module, I was forced to rename it. This is very disappointing thing. Now the module is named PSPKI. On the other side, PKI was too generic name and new name exposes usage area (PowerShell or simply PS).
Previously I've used a private signing certificate (issued by one of my internal CAs) to sign module files. Now I switched it to a certificate issued by common trusted CA (DigiCert).
Hello мир! Yesterdays I've published another version of my PowerShell PKI module — v1.0. Here are release notes:
I've spent much time on reviewing existing installation experience. My main goals were:
As you may be noticed, previously I've used Advanced Installer (thanks to PowerShell MVP Shay Levy who advised me this product) to wrap my package in MSI. Advanced Installer has intuitive, well-designed (attractive) and rich UI and this product is (possible) the best for beginners like me. However, free license is not enough for custom installation scenarios (like 32/64-bit mixed packages, direct upgrades, patching and so on). In order to accomplish these goals, I've contacted Caphyon Advanced Installer team for some support here. Advanced Installer support was very quick and kind, so I'm ready to provide new installation experience.
Finally I have finished another PowerShell PKI module release. This is not a significant release, but is quite improved. During module usage (I'm using certutil.exe less an less) I found some bugs in the previous release. Now they are fixed (at least those that were reported). The most significant change is in a new functionality. There are 3 set of cmdlets to manage the following CA settings:
Enrollment (ICertRequest3) and management (ICertAdmin2) interface management consist of four cmdlets: