Hello S-1-1-0, CryptoGuy is back again. Recently I spent a lot of time on PowerShell Cmdlet Help Editor enhancement and didn’t had enough time to write new posts. Now I’m making a break and will continue blogging. Today I open a post series about managing Microsoft Online Responders (OCSP) with PowerShell.
Underlying API
Microsoft implemented OCSP server management via a number of COM interfaces which are directly instantiable:
- IOCSPAdmin (progID: CertAdm.OCSPAdmin)
- IOCSPPropertyCollection (progID: Certadm.OCSPPropertyCollection)
Getting basic information
At first we will start with service availability by calling IOCSPAdmin.Ping method:
PS C:\> $ocsp = New-Object -ComObject CertAdm.OCSPAdmin
PS C:\> $ocsp
OCSPServiceProperties OCSPCAConfigurationCollection
--------------------- -----------------------------
PS C:\> $ocsp.Ping("dc2")
PS C:\>
If the method returns nothing, the service is up and available. If the method throws an error, then the service is down. Therefore, the Ping() method calls in your scripts must be used with try/catch or trap blocks.
Currently both properties are empty, so we will call IOCSPAdmin::GetConfiguration method to populate them:
PS C:\> $ocsp.GetConfiguration("dc2",$true)
PS C:\> $ocsp
OCSPServiceProperties OCSPCAConfigurationCollection
--------------------- -----------------------------
System.__ComObject System.__ComObject
PS C:\> $ocsp.OCSPServiceProperties
Name Value Modified
---- ----- --------
ArrayController dc2 False
ArrayMembers {dc2} False
AuditFilter 0 False
MaxNumOfCacheEntries 5001 False
NumOfThreads 50 False
PS C:\>
Here we see general information about the server. We see array controller, array members (in a given example, there is only one member in the array) and global settings, which are not interesting right now. Now we can look at revocation configurations. Obviously, revocation configurations are stored in the OCSPCAConfigurationCollection property:
PS C:\> $ocsp.OCSPCAConfigurationCollection
Identifier : test
CACertificate : {48, 130, 4, 78...}
HashAlgorithm : SHA1
SigningFlags : 97
SigningCertificate : {48, 130, 3, 212...}
ReminderDuration : 90
ErrorCode : 0
CSPName : Microsoft Software Key Storage Provider
KeySpec : 0
ProviderCLSID : {4956d17f-88fd-4198-b287-1e6e65883b19}
ProviderProperties : {BaseCrl, 48 130 2 119 48 130 1 95 2 1 1 48 13 6 9 42 134 72 134 247 13 1 1 11 5 0 48 71 4
9 19 48 17 6 10 9 146 38 137 147 242 44 100 1 25 22 3 99 111 109 49 23 48 21 6 10 9 146 38
137 147 242 44 100 1 25 22 7 99 111 110 116 111 115 111 49 23 48 21 6 3 85 4 3 19 14 99 1
11 110 116 111 115 111 45 68 67 50 45 67 65 23 13 49 52 48 51 50 49 48 57 48 55 48 57 90 2
3 13 49 52 48 51 50 56 49 48 50 55 48 57 90 48 58 48 27 2 10 32 26 29 24 0 2 0 0 1 129 23
13 49 48 49 50 50 52 49 56 48 49 48 48 90 48 27 2 10 31 211 64 105 0 2 0 0 1 126 23 13 49
48 49 50 50 52 49 56 48 49 48 48 90 160 129 167 48 129 164 48 31 6 3 85 29 35 4 24 48 22 1
28 20 157 253 252 170 197 187 38 226 196 154 213 208 75 93 106 97 10 138 186 67 48 18 6 9
43 6 1 4 1 130 55 21 1 4 5 2 3 2 0 2 48 11 6 3 85 29 20 4 4 2 2 19 78 48 28 6 9 43 6 1 4 1
130 55 21 4 4 15 23 13 49 52 48 51 50 56 48 57 49 55 48 57 90 48 66 6 3 85 29 46 4 59 48
57 48 55 160 53 160 51 134 49 104 116 116 112 58 47 47 119 119 119 46 99 111 110 116 111 1
15 111 46 99 111 109 47 112 107 105 47 99 111 110 116 111 115 111 45 68 67 50 45 67 65 40
50 41 43 46 99 114 108 48 13 6 9 42 134 72 134 247 13 1 1 11 5 0 3 130 1 1 0 90 149 112 17
6 149 222 13 149 122 162 111 228 95 183 147 194 213 36 219 162 168 115 81 67 14 54 43 185
170 87 217 191 168 222 33 23 191 88 28 234 133 75 204 250 6 146 90 152 232 48 176 143 3 24
2 81 143 158 19 125 215 122 12 174 239 96 41 186 156 139 130 173 221 57 155 121 39 214 208
161 134 233 44 162 167 113 149 242 68 25 237 214 55 158 5 57 71 35 233 133 57 198 235 143
45 242 73 222 178 172 63 142 180 116 106 201 224 161 155 193 33 77 88 180 178 10 185 22 1
180 59 103 149 9 36 49 166 33 33 32 62 141 229 119 133 23 65 31 239 119 157 219 224 147 2
3 129 198 120 56 237 103 206 95 52 190 167 23 183 123 152 48 189 68 113 253 64 210 53 241
166 176 170 250 159 77 64 245 249 93 174 154 20 246 237 156 154 230 204 114 86 114 253 184
119 76 218 79 76 16 194 229 224 138 26 64 227 71 214 188 174 74 174 56 87 244 172 184 84
238 84 10 161 236 195 142 73 0 85 66 57 105 132 184 209 211 82 150 202 233 182 32 185 68 1
87 89 58 215, BaseCrlUrls, http://www.contoso.com/pki/contoso-DC2-CA(2).crl...}
Modified : False
LocalRevocationInformation :
SigningCertificateTemplate :
CAConfig :
PS C:\>
Here we see a single revocation configuration and it’s settings. Although, they are self-explanatory, here is a brief description of each property:
- Identifier — represents revocation configuration friendly name;
- CACertificate — contains CA certificate (in a DER-encoded byte array form) associated with the configuration;
- HashAlgorithm — specifies the algorithm name that is used by OCSP server to sign responses;
- SigningFlags — represents a bitwise-or combination of the flags specified in this article: http://msdn.microsoft.com/en-us/library/windows/desktop/aa386387(v=vs.85).aspx
- SigningCertificate — contains signing certificate that is used to sign responses;
- ReminderDuration — specifies the signing certificate expiration percent at which warning event is logged in the EventLog. When signing certificate validity reaches this percent, an event is logged that the certificate is about to expire;
- ErrorCode — contains a HRESULT status of the configuration. It is zero when everything is ok, a non-zero value indicates a problem with the configuration;
- CSPName — specifies the provider name associated with the signing certificate;
- KeySpec — specifies the KeySpec value (either, AT_Exchange or AT_Signature) for the signing key.
- ProviderCLSID — specifies the revocation provider ID. Theoretically, Microsoft OCSP Server can work with different revocation providers. When you use default revocation provider (CRL-based), then CLSID must be {4956d17f-88fd-4198-b287-1e6e65883b19};
- ProviderProperties — contains revocation provider properties, like CRL URLs and cache update duration. We will deal with this property in next posts. Here I want to note that this property contains a two-dimensional array where first array element contains provider property name and second element contains property value;
- LocalProviderInformation — may contain a unsigned CRL with user-defined revoked certificates. That is, you can manually enter revoked certificates to revocation configuration even they are not listed in the referenced CRL. In this case, OCSP will report “Revoked”, when requested serial number is specified in this property. Format for this property is DER-encoded byte array;
- SigningCertificateTemplate — contains template name when revocation configuration uses certificate template to obtain and auto-renew signing certificate;
- CAConfig — contains an Enterprise CA’s configuration string.
Ok, we just got a brief observation of how to use COM interfaces to retrieve information about OCSP server configuration and contained revocation configurations. In the next post we will create and add a new revocation configuration to the OCSP server directly from PowerShell. Stay tuned.
Post your comment:
Comments: