Recently I started another work on PKI task automation with PowerShell – PKI Health Tool (aka Enterprise PKI or pkiview.msc). As a start point I took pkiview.msc MMC snap-in functionality which consist of:

1. Enumerate all Enterprise CAs in the forest. Filter inaccessible CAs;
2. Retrieve the most recent CA Exchange certificate for each CA;
   1. Execute chain for each certificate to select trusted anchors and to go through the chain;
3. retrieve all Issuer URLs from AIA;
   1. Validate each url (must be either http or ldap) and attempt to download the contents;
   2. If contents is downloaded, verify whether it is a certificate;
      1. Verify if the downloaded certificate is an issuer of CA Exchange certificate;
      2. Validate other cert properties;
4. Extract URLs from CDP extension;
   1. Validate each url (must be either http or ldap) and attempt to download the contents;
   2. If contents is downloaded, verify whether it is a CRL;
      1. Validate basic CRL properties, like validity (not yet valid, expired, about to expire);
      2. Validate whether the CRL has valid signature (against CA certificate);
   3. Do the same for DeltaCRLs;
5. Extract all OCSP URLs from AIA extension;
   1. Validate OCSP response by sending OCSP request and processing response;
6. Compose status report (managed, I maintain report object and you can access report properties);
7. Repeat steps 3-6 for each subsequent certificate in the chain up to root certificate;
8. Compose summary report.

A time ago I quoted a Windows PKI team announce about SHA1 Deprecation Policy by Microsoft.

In short, Microsoft will discontinue SHA1 signatures in SSL and code signing certificates by January 1 2017. This article raised a lot of questions in TechNet forums and these questions shows policy misunderstanding by users. In this article I want to focus on key moments of the policy, common myths and the second part will show the general guidance for moving toward SHA2.

Today I released SSL Certificate Verifier tool to CodePlex. There are plans to enhance the tool (as per customer requests), so I decided to publish it online, rather than maintaining it here.

>> SSL Certificate Verifier <<

SYPTOMS

Consider the following scenario: you are dumping CA database by using certutil, PowerShell or any other tool that utilizes ICertView2 interface and at some point you receive the following error

Certutil:

• CertUtil: -view command FAILED: 0x80070006 (WIN32: 6)
  CertUtil: The handle is invalid.

PowerShell (when using ICertView interface):

• CEnumCERTVIEWROW::Next: The handle is invalid. 0x80070006 (WIN32: 6)

CAUSE

This error can be caused because of handle expiration. There are two functions that control database access handle validity:

1) When the connection is opened by calling ICertView2::OpenConnection the next action must be taken within a ViewIdleMinutes period. If no action (OpenView method call) is taken within this period, the handle is released. By default, ViewIdleMinutes is 8 minutes.

2) When ICertView::OpenView method is called, the handle is valid for the period specified in the ViewAgeMinutes. If the CA database dump operation exceeds this parameter, the handle is forcedly released and the error is returned. By default, ViewAgeMinutes is 16 minutes.

STATUS

This is by design.

SOLUTION

If there is a need to extend handle validity for large output, you can increase ViewAgeMinutes property by modifying CA configuration:

1. Log on to CA server with local administrator permissions;
2. Open elevated command prompt;
3. type the following commands in the command prompt:

   certutil –setreg CA\ViewAgeMinutes X

   where X – is a number that represents handle validity in minutes.
4. Restart certificate services.

WORKAROUND

No workaround is available.

APPLIES TO

• Active Directory Certificate Services (all versions)

In the previous post we explored the techniques used to create a common revocation configuration for use with Enterprise CA.

Today we will discover another option, when you create revocation configuration for external (Standalone or 3rd party) CA. Steps to create such configurations are almost the same and differ only in certain parts.

Creating revocation configuration for Standalone CA

Consider the following scenario: you have a Standalone CA which is not connected to a network. You need to create revocation configuration for this CA. Signing certificate is issued (out of band) from that CA.