Hello S-1-1-0, CryptoGuy is back with some good news!

About two years ago Windows PKI team posted about a SSL certificate expiration checking tool: Verifying The SSL Certificate Expiration with a tool. However, the download link is broken and PKI blog writers aren’t responsive, so there is no chance to get the utility. Although I have this tool, it is useless a bit more than completely. This is because the utility just checked leaf certificate for expiration without performing any additional checks.

A week ago I decided to make my own tool with “Black Jack and Hookers”. For a first attempt I asked myself to implement the following wishes:

1. Validate the SSL certificate and validate all certificates in the chain for possible errors;
2. Implement certificate expiration checking (as in original tool). Certificate expiration should be checked for all certificates in the chain;
3. When we connect to a host, it may decide to redirect us to another site. Say, we connect to paypal.com, the server will redirect us to www.paypal.com. The fact is that these two servers may use different certificates (as is the case for paypal.com). Therefore, the tool must process all redirects and collect certificate status information for all of them.
4. Write trace/debug log for each processed entry;
5. Provide an ability to save server list to a file and read the list from a file.

Yesterday I released another version of PS Cmdlet Help Editor. It is minor update, which resolves several issues (not very critical), internal code redesign and added support for PowerShell 4.0.

Two notable updates were made in this release:

1) Support Information tab

in this tab you can specify basic requirements and platforms your module supports. When you save help file, support information (if it is enabled in the settings), this support information is saved in the same folder with the following naming format: <ModuleName>.supports.xml. And when you load your module next time, the editor attempts to find appropriate file to fill this tab.

Warning: this post is the shortest post in the entire blog.

Microsoft announced a deprecation policy for certificates signed with SHA1 (sha1RSA) signature algorithm. The algorithm should not be used after January 1 2016. US NIST Guidance has counseled that SHA1 should not be trusted past January 2014 for the higher level of assurance communications over the US Federal Bridge PKI.

More on Windows PKI weblog: SHA1 Deprecation Policy.

Many of you use IIS web servers in corporate network for various purposes, for example, to host internal/external web site, ADCS web services, OCSP, WSUS and this list is very long. It is common to manage them all from a centralized place, for example, from web server administrator’s computer. In other words, IIS servers are not managed directly from console.

The problem

By default IIS do not allow remote administration, you have to enable it by starting (and, likely, setting start type to Automatic) Web Management Service (WMSVC). Ok, you started the service on a web server and attempt to connect to the server from remote IIS management console:

In this article I will show the techniques used to determine effective permissions for a user or computer account on a certificate template.

The problem

When you open certificate template in Certificate Templates MMC snap-in (certtmpl.msc) or in ADSI Editor (adsiedit.msc) and switch to Security tab, you will see the following:

When you click Advanced button, you won’t see Effective Permissions tab like in NTFS permission editor: