Posts on this page:
- PowerShell PKI Module v3.2.6 is out!
- PowerShell 5.0 and Applocker. When security doesn’t mean security (part 2)
- PowerShell 5.0 and Applocker. When security doesn’t mean security
- PowerShell PKI Module v3.2.5 is released!
- How to convert PEM to PFX in PowerShell (revisited)
Hello S-1-1-0!
After three months since PSPKI module v3.2.5 was released I received a number of unfortunate bugs (which weren’t tested very well from my side) and other issues. So I decided to address them while I have some spare time. In addition, I made an attempt to provide new functionality I really missed in the module.
This release is intended to make the module more stable and less buggy. In some aspects it become faster.
Bug Fixes
I have fixed a number of private bugs (found by myself) and publically reported bugs:
- https://pspki.codeplex.com/workitem/96
- https://pspki.codeplex.com/workitem/95
- https://pspki.codeplex.com/workitem/93 – I reported this bug as fixed in v3.2.5, however, there was another code path where this issue wasn’t fixed. So I reopened the bug. Now it is completely fixed. I believe so :)
- Set-CertificateExtension problem with naming constraint and certificate policies extensions
For detailed change logs and privately reported issues see:
Read more →
In the previous post, I tried to explain some inconsistences in the current implementation of Constrained PowerShell feature that is introduced in PowerShell 5.0: PowerShell 5.0 and Applocker. When security doesn’t mean security. After having a long email and twitter conversations I realized that many of readers blame me for being against Constrained PowerShell feature. It is not true. In this post, I would like to summarize what is going wrong now and how it should work in my opinion.
Read more →
Problem description
A friend of mine asked why his PowerShell scripts (PowerShell profile) doesn’t execute properly in after upgrading to PowerShell 5.0. A brief investigation showed that interactive PowerShell console runs in Constrained Language mode, as the result many language features are stripped out and PowerShell profile isn’t loaded with the following error:
Windows PowerShell Copyright (C) 2015 Microsoft Corporation. All rights reserved. C:\Users\vpodans\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 : Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator. At line:1 char:1 + . 'C:\Users\vpodans\Documents\WindowsPowerShell\Microsoft.PowerShell_ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Microsoft.PowerShell_profile.ps1], NotSupportedException + FullyQualifiedErrorId : DotSourceNotSupported,Microsoft.PowerShell_profile.ps1 PS C:\Users\vpodans> [math]::Sqrt(1) Cannot invoke method. Method invocation is supported only on core types in this language mode. At line:1 char:1 + [math]::Sqrt(1) + ~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [], RuntimeException + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage PS C:\Users\vpodans> $ExecutionContext.SessionState.LanguageMode ConstrainedLanguage PS C:\Users\vpodans>
Read more →
I’m glad to announce another version of PowerShell PKI module release.
What’s new?
This release includes major internal code changes with new functionality.
- Code reorganization
At first, I completely separated Abstract Syntax Notation (ASN.1) code from main library to a dedicated DLL: SysadminsLV.Asn1Parser.dll. As I mentioned in one of previous posts, PKI.Core.dll and ASN parser are opensourced on GitHub: pkix.net and Asn1DerParser.NET.
Read more →
Hello everyone!
Some time ago I wrote a script that converts PEM file to CryptoAPI compatible format: How to convert PEM file to a CryptoAPI compatible format. The script involves some non-PowerShell commands (certutil) which associates private key with a certificate instance. I received several feedback comments about avoiding certutil in favor of native PowerShell/.NET managed code. In this post I want to show some code that eliminates certutil from the script.
Just to recall what we generally do when converting PEM to X509Certificate2/PFX:
- Read the certificate information from PEM file and instantiate a X509Certificate2 object;
- Read PKCS#1 or PKCS#8 private key;
- Convert PKCS#1/PKCS#9 private key to CryptoAPI PRIVATEKEYBLOB;
- Associate PRIVATEKYEBLOB with an X509Certificate2 instance.
Read more →