For one of my project I was required to encode and decode CA certificate "CA Version" extension. The biggest problem is that there are no .NET or CryptoAPI interfaces that can do it.

CA Version abstract

CA Version extension is private Microsoft certificate extension and used in Windows PKI only. In addition, this extension exist only in CA certificate (where CA Type property of Basic Constraints extension is set to CA = True). End entity certificates never contains this extension. Main purpose of this certificate is to simplify CA server lifecycle. Sometimes CA certificate become expired and there are two choices to continue the work: build new CA from scratch or renew CA certificate (see related discussion about CA certificate renewal: Root CA certificate renewal). Though there are certain cases when CA requires to renew its own certificate prior to expiration. As the result CA server will maintain two signing certificates. Windows CA MUST publish CRLs for each valid signing key (not a certificate!). Since CA certificate can be renewed with existing key pair it is possible when CA server maintains multiple CA certificates and single CRL. Or CA server can maintain four CA certificates. Here is a great article that describes how CA Version extension works — Certification Authority Renewal.

Time at time I need to resolve Object Identifier (OID) to human-readable friendly name or get an OID if its OID is known. There are a lot of OIDs that are used in Internet PKI. In addition there may be custom OIDs that are defined (registered) within certain Active Directory forest. I can't remember all these OIDs and need a way to translate (or resolve) them. Even there are some online resources that provide a search in the OID tree. My favorite resource is: OID assignments from the top node. You can explore each tree and learn a bit more about OID structure. However these resources don't provide flexible way to automate this search. For example, I have OID = 1.3.6.1.5.5.7.3.1, but I don't know this OID friendly name. We can manually search this OID at such libraries and get the following output: id_kp_serverAuth. And if I need to get OCSP Signing OID. This task is harder. Fortunately there is a way to perform this translation in both directions: OID <—> Friendly Name.

Surprise, it's me again! Today I have finished network share management module for PowerShell. I want to thank Shay Levy who helped me with module-related stuff.

With this module you will be able to:

• List share (or shares) from local or from remote computers;
• Create new share with various settings;
• Remove share (actually this not remove folder itself, but stops sharing);
• Add/Set/Remove share permissions (note that share permissions and NTFS rights are not the same).

Here are module installation instructions:

Update 04.08.2018: clarified behavior on timestamping certificate revocation

Hello again! Today I would like to discuss about digital signatures and signature usage questions.

A very short introduction to digital signatures

As you know the signature guarantees that the electronic document wasn't changed after signing process. This is a useful feature for sensitive data that may be changed during transfer over network. For example, Internet. There is one well-known attack named Man In The Middle (MITM). In MITM, malicious user intercepts document change some data and transfer to the original recipient. If the document is originally signed (by sender) the recipient will attempt to validate document signature and will see that the document was changed during data transmission. This would invalidate the document.

In real world digital signatures are used very often and use asymmetric encryption/decryption processes.

Update 22.10.2017: updated use-case recommendations based on best practices.

Update 27.06.2018: added commands

In this article I will discuss about Root CA certificate renewal with new and existing key pair. At first we discuss about CA certificate renewal with existing key pair.

Renewal with existing key pair

When you renew CA certificate with existing key pair, nothing important in certificate is changed. The certificate will contain the same public and private key. As the result all previously issued certificates will chain up to new CA cert without any changes. You just replace old CRT file in AIA download locations. In addition, new CA cert ValidFrom (NotBefore) field will contain the value when existing CA key pair was generated. For example, old CA cert has ValidFrom (NotBefore) = 08.10.2000 and ValidTo (NotAfter) 08.10.2010. When you renew CA cert with existing key pair new certificate will have following values: ValidFrom (NotBefore) 08.10.2000 and ValidTo (NotAfter) 08.10.2020. In other words this renewal just increases current CA certificate validity period. In addition new CA cert introduces one new extension: Preious CA certificate hash that will contains preious certificate Thumbprint extension value. And changes another extension: CA Version. Let's take a look to a CA Version extension.