Hello again!

The problem

Recently I had a dialog with Mark B. Cooper when he reported a weird issue with Install-ADCSCertificationAuthority cmdlet. To repro this issue, prepare a new server without any network adapter (even without a loopback adapter) and run Install-AdcsCertificationAuthority cmdlet without parameters (implies default settings) and you will get:

PS C:\Users\Administrator> Install-AdcsCertificationAuthority

Confirm
Are you sure you want to perform this action?
Performing the operation "Install-AdcsCertificationAuthority" on target "WIN-F6MCGE586LQ".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"):
Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error:  The
network location cannot be reached. For information about network troubleshooting, see Windows Help. 0x800704cf
(WIN32: 1231 ERROR_NETWORK_UNREACHABLE)
At line:1 char:1
+ Install-AdcsCertificationAuthority
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Install-AdcsCertificationAuthority], CertificationAuthoritySetupE
   xception
    + FullyQualifiedErrorId : Install,Microsoft.CertificateServices.Deployment.Commands.CA.InstallADCSCertificationAut
   hority

PS C:\Users\Administrator>

Hello again, PowerShell CryptoGuy is back!

I was impressed how many feedback I received on my proof of concept version of Enterprise PKI health verifier: Enterprise PKI (pkiview.msc) PowerShell Edition (PoC). I carefully reviewed each feedback and implemented almost all requests.

New year and new post :)

New release

Yesterday I released a new version of PS Cmdlet Help Editor on CodePlex. Essentially this version is the same as previously published beta. Refer to this post to get details about new version: PS Cmdlet Help Editor v3.3.5.0 Beta. I just addressed and fixed issues reported by users and believe, now it is safe for use.

Recently I started another work on PKI task automation with PowerShell – PKI Health Tool (aka Enterprise PKI or pkiview.msc). As a start point I took pkiview.msc MMC snap-in functionality which consist of:

1. Enumerate all Enterprise CAs in the forest. Filter inaccessible CAs;
2. Retrieve the most recent CA Exchange certificate for each CA;
   1. Execute chain for each certificate to select trusted anchors and to go through the chain;
3. retrieve all Issuer URLs from AIA;
   1. Validate each url (must be either http or ldap) and attempt to download the contents;
   2. If contents is downloaded, verify whether it is a certificate;
      1. Verify if the downloaded certificate is an issuer of CA Exchange certificate;
      2. Validate other cert properties;
4. Extract URLs from CDP extension;
   1. Validate each url (must be either http or ldap) and attempt to download the contents;
   2. If contents is downloaded, verify whether it is a CRL;
      1. Validate basic CRL properties, like validity (not yet valid, expired, about to expire);
      2. Validate whether the CRL has valid signature (against CA certificate);
   3. Do the same for DeltaCRLs;
5. Extract all OCSP URLs from AIA extension;
   1. Validate OCSP response by sending OCSP request and processing response;
6. Compose status report (managed, I maintain report object and you can access report properties);
7. Repeat steps 3-6 for each subsequent certificate in the chain up to root certificate;
8. Compose summary report.

I was silent recently, because the blog was down. SharePoint is a nightmare for me. Hopefully, I’m writing my own web site with ASP.NET MVC and have plans to move to a reliable hosting in near future.

Today I want to discuss the question about extracting relative distinguished name (RDN) attributes from X.500 full distinguished name (DN) in PowerShell.