Hello folks, sorry for delayed post, one of my SSD disk suddenly dead and I was busy with data recovery.

In the previous post we discovered main interfaces and methods to retrieve Online Responder array settings and revocation configurations. Today we will learn how to use them to delete existing revocation configuration and add a new one.

Deleting existing revocation configuration

In the previous post you noticed that my OCSP server has configured one revocation configuration named “test”. Consider when we don’t need this particular configuration (say, associated CA was decommissioned). We can delete it by calling IOCSPCAConfigurationCollection::DeleteCAConfiguration method and applying changes by calling IOCSPAdmin::SetConfiguration method.

Hello S-1-1-0, CryptoGuy is back again. Recently I spent a lot of time on PowerShell Cmdlet Help Editor enhancement and didn’t had enough time to write new posts. Now I’m making a break and will continue blogging. Today I open a post series about managing Microsoft Online Responders (OCSP) with PowerShell.

Underlying API

Microsoft implemented OCSP server management via a number of COM interfaces which are directly instantiable:

• IOCSPAdmin (progID: CertAdm.OCSPAdmin)
• IOCSPPropertyCollection (progID: Certadm.OCSPPropertyCollection)

Getting basic information

At first we will start with service availability by calling IOCSPAdmin.Ping method:

Time by time I receive questions about alternate signature algorithms. What is the difference between them and what benefits are in an alternate signature algorithms.

As per TechNet article:

For certificates based on RSA algorithms, PKCS #1 v2.1 specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm. (In PKCS #1 v.1.5, only one object identifier is used to identify both the hash and asymmetric algorithms.) In addition, if you select the alternate signature format for certificates based on RSA algorithms, an enhanced cryptographic formula is used to create the signature.

Generally speaking, alternate signature algorithm (signature format) just allows to specify additional details about how signature is constructed.

Hello S-1-1-0, CryptoGuy is back with some good news!

About two years ago Windows PKI team posted about a SSL certificate expiration checking tool: Verifying The SSL Certificate Expiration with a tool. However, the download link is broken and PKI blog writers aren’t responsive, so there is no chance to get the utility. Although I have this tool, it is useless a bit more than completely. This is because the utility just checked leaf certificate for expiration without performing any additional checks.

A week ago I decided to make my own tool with “Black Jack and Hookers”. For a first attempt I asked myself to implement the following wishes:

1. Validate the SSL certificate and validate all certificates in the chain for possible errors;
2. Implement certificate expiration checking (as in original tool). Certificate expiration should be checked for all certificates in the chain;
3. When we connect to a host, it may decide to redirect us to another site. Say, we connect to paypal.com, the server will redirect us to www.paypal.com. The fact is that these two servers may use different certificates (as is the case for paypal.com). Therefore, the tool must process all redirects and collect certificate status information for all of them.
4. Write trace/debug log for each processed entry;
5. Provide an ability to save server list to a file and read the list from a file.

Warning: this post is the shortest post in the entire blog.

Microsoft announced a deprecation policy for certificates signed with SHA1 (sha1RSA) signature algorithm. The algorithm should not be used after January 1 2016. US NIST Guidance has counseled that SHA1 should not be trusted past January 2014 for the higher level of assurance communications over the US Federal Bridge PKI.

More on Windows PKI weblog: SHA1 Deprecation Policy.