I was silent for about 3 months or so. There was no interesting topics to discuss and I hardly worked on my public projects, including PowerShell PKI module, PS Cmdlet Help Editor and ASN.1 Editor (not yet public). Today I completed new PS PKI module release and there is something to talk about.

New milestone

Hellya! We reached 2000 downloads in 6 months! I think, it is a good progress! :)

As promised, there was a need to move forward and use some more efficient tools. As the result, my underlying API library was migrated to .NET Framework 4.0. There are no plans to move to 4.5, so you can be safe about this. For some time. Windows PowerShell 2.0 do not support CLR 4.0 assemblies, therefore, Windows PowerShell 2.0 is out of support. Although, PowerShell scripts are written in PS v2.0 and do not use any features of new languages, I don’t think, it will be a big problem. Minimum supported PowerShell version is 3.0.

Recently I faced an interesting issue with unmanaged structure definitions that contains unions. Unions allow one portion of memory to be accessed as different data types. Here is a CERT_ID structure definition in C++ that uses an anonymous union (exact my issue):

Hello everyone, I’m glad to present another release of PS Cmdlet Help Editor! New version (3.0) brings big changes in it’s functionality. Key changes in this release:

• Introduced Start Page;
• Introduced PS Help project file which stores help content and other settings;
• Introduced basic BB-code support (in future, BB-code support will be enhanced);
• Introduced an ability to publish help content online via MetaWeblog API.

Today I released SSL Certificate Verifier tool to CodePlex. There are plans to enhance the tool (as per customer requests), so I decided to publish it online, rather than maintaining it here.

>> SSL Certificate Verifier <<

SYPTOMS

Consider the following scenario: you are dumping CA database by using certutil, PowerShell or any other tool that utilizes ICertView2 interface and at some point you receive the following error

Certutil:

• CertUtil: -view command FAILED: 0x80070006 (WIN32: 6)
  CertUtil: The handle is invalid.

PowerShell (when using ICertView interface):

• CEnumCERTVIEWROW::Next: The handle is invalid. 0x80070006 (WIN32: 6)

CAUSE

This error can be caused because of handle expiration. There are two functions that control database access handle validity:

1) When the connection is opened by calling ICertView2::OpenConnection the next action must be taken within a ViewIdleMinutes period. If no action (OpenView method call) is taken within this period, the handle is released. By default, ViewIdleMinutes is 8 minutes.

2) When ICertView::OpenView method is called, the handle is valid for the period specified in the ViewAgeMinutes. If the CA database dump operation exceeds this parameter, the handle is forcedly released and the error is returned. By default, ViewAgeMinutes is 16 minutes.

STATUS

This is by design.

SOLUTION

If there is a need to extend handle validity for large output, you can increase ViewAgeMinutes property by modifying CA configuration:

1. Log on to CA server with local administrator permissions;
2. Open elevated command prompt;
3. type the following commands in the command prompt:

   certutil –setreg CA\ViewAgeMinutes X

   where X – is a number that represents handle validity in minutes.
4. Restart certificate services.

WORKAROUND

No workaround is available.

APPLIES TO

• Active Directory Certificate Services (all versions)