Hi, S-1-1-0!

Finally I have finished another PowerShell PKI module release. This is not a significant release, but is quite improved. During module usage (I'm using certutil.exe less an less) I found some bugs in the previous release. Now they are fixed (at least those that were reported). The most significant change is in a new functionality. There are 3 set of cmdlets to manage the following CA settings:

Interface settings

Enrollment (ICertRequest3) and management (ICertAdmin2) interface management consist of four cmdlets:

SYMPTOMS

Consider the following scenario. You have Windows Server 2003 with installed Certification Authority and Web Enrollment components. When you try to access web enrollment pages from a Windows Vista-based (or newer) computer you receive a message box:

Hi S-1-1-0! Today's topic is described in the post header :)

I guess most of you have encountered with some application/system issues. Sometimes the only information you have is Win32 error code and nothing else. To find a text message for particular error you usually use Google/Bing and/or other tools, like Err.exe from Windows Server 2003 Resource Kit. Yesterday I wrote a PowerShell script that will convert Win32 error code to a readable text. The code uses FormatMessage() WinAPI function. Here is a known limitation, this function doesn't handle network-related errors (that are defined in wininet.h header file). Hopefully my script resolves this limitation by adding a reference to the wininet.dll library when it is necessary. Here is a code snippet:

As you may know a DigiNotar CAs was compromised due of some reasons (one, two). Microsoft have decided to break DigiNotar CAs trust at all — http://support.microsoft.com/kb/2607712. Trust breaking is performed as follows:

1. DigiNotar CA certificates are removed from Windows Update;
2. DigiNotar CA certificates are removed from crypt32.dll on Windows Vista+;
3. DigiNotar CA certificates are moved from Trusted Root CAs container to Untrusted Certificates.

Today I want to discuss one question about CA certificate validity and how this can be changed.

Issue background

A little abstract. When you install Windows Certification Authority the default value is 5 years. It is quite long period and many young administrators leave default value (especially if they are not very experienced in certificate services). After a time it appears that 5 years is too short validity for CA certificate and administrators lookups for a resolution.