Hello S-1-1-0, CryptoGuy is back again. Recently I spent a lot of time on PowerShell Cmdlet Help Editor enhancement and didn’t had enough time to write new posts. Now I’m making a break and will continue blogging. Today I open a post series about managing Microsoft Online Responders (OCSP) with PowerShell.

Underlying API

Microsoft implemented OCSP server management via a number of COM interfaces which are directly instantiable:

• IOCSPAdmin (progID: CertAdm.OCSPAdmin)
• IOCSPPropertyCollection (progID: Certadm.OCSPPropertyCollection)

Getting basic information

At first we will start with service availability by calling IOCSPAdmin.Ping method:

Today I released a new version of PS Cmdlet Help Editor which doesn’t introduce any code updates. However, it introduces significant UI update. Previously, I used fixed-sized editor fields:

On large (and wide) displays a lot of window space is not used. For example, on 22” displays editor fields occupies only half of display area. I checked some good articles about layout options in WPF and found that there is a great option to make dynamic layout with Grid control, which allows to expand nested controls along with display size expansion. Here is an example of a new layout:

Yesterday I published another version of my PowerShell PKI module.

Reached milestone

At first, I want to announce an important notice about this release. This release is the latest release that is compiled (underlying API in PKI.Core.dll) under .NET Framework 2.0. Next release will require .NET Framework 4.0, because I want to get rid of some internal helpers and replace them with LINQ expressions, also I’d like to utilize new features in .NET 4.0 itself.

In addition, this release is the latest release that respects certification authorities that run on Windows Server 2003-based computers. New commands (which will be added in future releases) will not guarantee Windows Server 2003 support.

Existing changes

The following changes are made in existing commands (without breaking their behavior or syntax):

Time by time I receive questions about alternate signature algorithms. What is the difference between them and what benefits are in an alternate signature algorithms.

As per TechNet article:

For certificates based on RSA algorithms, PKCS #1 v2.1 specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm. (In PKCS #1 v.1.5, only one object identifier is used to identify both the hash and asymmetric algorithms.) In addition, if you select the alternate signature format for certificates based on RSA algorithms, an enhanced cryptographic formula is used to create the signature.

Generally speaking, alternate signature algorithm (signature format) just allows to specify additional details about how signature is constructed.

This is the last my post this year and I want to make a little summary about my blogging and public projects I’m running and to acknowledge some companies and people.

Projects summary

During this year I continued to focus on Public Key Infrastructure and it’s integration into Windows PowerShell. It is unfortunate that only few people pays attention to this aspect. While many Microsoft products and technologies have solid support in PowerShell, ADCS and PKI still has very poor support. Finally, Microsoft developed cmdlets for ADCS components installation (starting with Windows Server 2012) — it is a big win. However, built-in cmdlets still lacks in ADCS component management in PowerShell.

To be honest, cmdlets in PKI and AdcsAdministration modules are awful and don’t cover daily ADCS management tasks. On the other hand, it is a great field (opportunity) for me, to continue PowerShell PKI module development. During this year I shipped two releases of this module. Each new version implements new commands, features and resolves detected issues. New version is coming (release is planned in January).

Also I’m continuing to work on others projects and concepts. For example, PowerShell Cmdlet Help Editor. so far it is the only publically available help editor for 3rd party modules. Primarily I developed the editor to cover my own needs to create unified help content for PowerShell PKI module. First version covered just basic functionality. It wasn’t enough, so I added an ability to generate HTML code which can be pasted to your web site (for example, to CodePlex). However, I noticed that help content review (for typos or other inaccuracies) is not very easy, so I added a browser plugin to the editor, so you can select the cmdlet and view entire cmdlet help content in a user-friendly way. There are other improvements which I didn’t mentioned, the main idea is the same — make the editor more user-friendly and reduce the time on content writing and review.

In addition, you can check my little, but very useful scripts on TechNet Gallery: PowerShell File Checksum Integrity Verifier (PsFCIV) and Self-signed certificate generator (PowerShell), which are now a part of PKI module. Do not forget about my recent work: Verifying The SSL Certificates with a tool, which is outstanding and still, there are ways for improvement and enhancements (it requires a time).

Acknowledges

All these projects require a lot of time. Since I’m working on them during my free time, I’m trying to spend the time more effectively. Also, the product should be easy to ship and install by end-users. Therefore I want to mention some companies which helped me with free NFR (Not For Resale) licenses for their products.

• Dell Software — PowerGUI Script Editor (still free). I’m using PowerGUI many years (5+ years) and now I can’t imagine complex PowerShell script writing outside of it. Really, smart and effective product (comparing to others) for script development and testing.
• Sandcastle Help File Builder (already free). This is a great tool which is intended to generate a user-friendly help content for your own .NET projects. Here is the documentation example from my PowerShell PKI module: http://pkix2.sysadmins.lv/library/
• JetBrains — ReSharper. I’m not considering myself as a decent C# developer and my experience in this language and behaviors is average. ReSharper dramatically improved my C# code, made it cleaner, shorter and smarter by removing unnecessary/redundant code paths and follows for code compliance, refactoring, code generation and more and more. This is really-really invaluable tool. Even if they retire the NFR license, I will buy it.
• Caphyon — Advanced Installer. PowerShell module distribution is a real challenge. Unfortunately, PowerShell don’t have easy and flexible ways to distribute 3rd party modules (like NuGet in Visual Studio) and it looks like: pack the module to ZIP, provide a long instructions to end user to install and configure the module. The things become worse when there are additional dependencies (like required .NET version). End users are not PowerShell MVPs and don’t have to know all these details, they just need to install the module, run in, ??????, PROFIT. This is what Advanced Installer does. It easily packs the module to a MSI package which can be easily installed with few “Next-Next-Finish” clicks.
  MSI creation is not an easy process, but Advanced Installer is really-really easy to use, user-friendly with a really good help content which do not overhead the user with unnecessary technical details.
• DigiCert. When you distribute the software over internet, it is important to make sure that end user receives the code that was produced by a developer, without modifications. Digital signatures on a software ensures that no one added, removed or somehow tampered the code after it was released (intentionally or unintentionally). In addition, digital signatures increases the trust between the developer and end user, especially when the software was downloaded from untrusted sources. this ensures that 3rd party (hosting company or someone else). Each my product, script is digitally signed, so you can be sure that it wasn’t modified after I signed it.

Special acknowledges

While I mentioned companies that helped me with products that reduces my time on project development, I want to mention two guys from Microsoft, who help me with their brains and who put reasonable effort in PKI module development. Probably you never heard about them, but I think you should know these “invisible” heroes:

• Vic Heller (Microsoft). Vic is a heart, head, hands, knees and soul of Windows PKI. Cryptography is not the easiest technology and cryptography documentation and API in Windows is a hell. Apparently it is written for incredibly skilled in cryptography guys who can understand it. Just an example: CryptSetProvParam function. Also, the API behavior is not always clear from the documentation. Time by time I’m struggling on some aspect (theoretical or practical) and even Google can’t help there. Only Vic “Last Chance” Heller can help in such cases. I can’t remember if there was a question when Vic or Rashmi couldn’t find an answer.
• Rashmi Jha (Microsoft). When the question is about OCSP or certificate enrollment web services questions, Rashmi is (maybe, the only) the rescue service there.

Sometimes I’m writing about interesting behavior in Windows PKI which is not described anywhere and which I got from these guys. For example, Database log files are not truncated when you perform a full Certification Authority database backup, or String comparison in Certification Authority database queries.

Thank you all, who helped and continue to help me with your products or brains, your help is invaluable!