I was silent recently, because the blog was down. SharePoint is a nightmare for me. Hopefully, I’m writing my own web site with ASP.NET MVC and have plans to move to a reliable hosting in near future.

Today I want to discuss the question about extracting relative distinguished name (RDN) attributes from X.500 full distinguished name (DN) in PowerShell.

Today I have published a new version of PowerShell Cmdlet Help Editor which includes only one major change and number of minor changes.

Notable changes

Main change is tabbed document introduction:

A time ago I quoted a Windows PKI team announce about SHA1 Deprecation Policy by Microsoft.

In short, Microsoft will discontinue SHA1 signatures in SSL and code signing certificates by January 1 2017. This article raised a lot of questions in TechNet forums and these questions shows policy misunderstanding by users. In this article I want to focus on key moments of the policy, common myths and the second part will show the general guidance for moving toward SHA2.

Point Of Interest

When I started PowerShell PKI module project, I quickly realized that I will have to deal with abstract syntax notation one (ASN.1) with distinguished encoding rules (DER) encoding subset. This is because all transferrable cryptographic objects are encoded in ASN.1 and in DER encoding. X.509 certificates, revocation lists, trust lists, OCSP, etc., etc..

In previous post I talked about weirdness in CNG support in .NET and showed an example how to fill the gaps in .NET. That was just an example. Today I will show how to perform basic cryptographic operations with CNG in PowerShell and other CLR languages (C#, VB.NET). PowerShell is built on top of CLR, so the techniques are almost identical, despite a bit different syntax.

So, today I will show how to sign the data with CNG certificate. The easiest way is to use NCrypt* unmanaged function family exposed by NCRYPT.DLL.