Vadims Podāns
Vadims Podāns 15.03.2019 18:53 (GMT+2) Retrieve CNG key container name and unique name

> Can you do the reverse?

with some degree of accuracy it is possible. The idea is the same: get the container name from a file and enumerate all certificates in the store and check if particular certificate contains key information that points to specified file name. Though, I would go in a bit different way: load the key in provider and extract public key. Again, enumerate certificate in the store and check if there is matching public key in certificate. This is how "certutil -repairstore" works.

AndrePKI
AndrePKI 15.03.2019 18:39 (GMT+2) Retrieve CNG key container name and unique name

Can you do the reverse? I.e. given a file name in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ or C:\Users\<name>\AppData\Roaming\Microsoft\Crypto\RSA\<SID>\, find which certificate is associated with this key(container)file? Or is it just a one-way thing?

Vadims Podāns
Vadims Podāns 10.03.2019 23:05 (GMT+2) PowerShell 5.0 and Applocker. When security doesn’t mean security (part 2)

> Why do you want to screen .PS1 files yet have the interactive prompt fully open?

the idea behind this is that PS1 screening still helps to prevent automatic (mostly accidental) script execution. SRP is bypassable, Applocker too. These are not security features and they won't get fixed. This means that PS constrained mode makes very little sense. Maybe against unexperienced users only.

> If the interactive prompt is open, your system is open.

If I have interactive access, nothing will keep me from executing arbitrary PS code. I won't even use powershell.exe console. There are plenty ways to execute arbitrary PS code without executing powershell.exe console and these ways are not protected in any way.

Vadims Podāns
Vadims Podāns 10.03.2019 19:58 (GMT+2) Automate archived key migration to a new CA server

Why you need to update the encryption key? If existing KRA key is expired, just assign new KRA key and use it for subsequent encryption operations. There is no much need in re-encryption with new KRA key. Just maintain the history of KRA keys for decryption.

Stan
Stan 10.03.2019 12:28 (GMT+2) Automate archived key migration to a new CA server

If I need to update the encryption key on a CA, is it enough to download-reencode-upload, or something special needs to be done to remove keys with old KRA key?