Hello S-1-1-0, CryptoGuy is back again. Recently I spent a lot of time on PowerShell Cmdlet Help Editor enhancement and didn’t had enough time to write new posts. Now I’m making a break and will continue blogging. Today I open a post series about managing Microsoft Online Responders (OCSP) with PowerShell.
Microsoft implemented OCSP server management via a number of COM interfaces which are directly instantiable:
At first we will start with service availability by calling IOCSPAdmin.Ping method:
PS C:\> $ocsp = New-Object -ComObject CertAdm.OCSPAdmin PS C:\> $ocsp OCSPServiceProperties OCSPCAConfigurationCollection --------------------- ----------------------------- PS C:\> $ocsp.Ping("dc2") PS C:\>
If the method returns nothing, the service is up and available. If the method throws an error, then the service is down. Therefore, the Ping() method calls in your scripts must be used with try/catch or trap blocks.
Currently both properties are empty, so we will call IOCSPAdmin::GetConfiguration method to populate them:
PS C:\> $ocsp.GetConfiguration("dc2",$true) PS C:\> $ocsp OCSPServiceProperties OCSPCAConfigurationCollection --------------------- ----------------------------- System.__ComObject System.__ComObject PS C:\> $ocsp.OCSPServiceProperties Name Value Modified ---- ----- -------- ArrayController dc2 False ArrayMembers {dc2} False AuditFilter 0 False MaxNumOfCacheEntries 5001 False NumOfThreads 50 False PS C:\>
Here we see general information about the server. We see array controller, array members (in a given example, there is only one member in the array) and global settings, which are not interesting right now. Now we can look at revocation configurations. Obviously, revocation configurations are stored in the OCSPCAConfigurationCollection property:
PS C:\> $ocsp.OCSPCAConfigurationCollection Identifier : test CACertificate : {48, 130, 4, 78...} HashAlgorithm : SHA1 SigningFlags : 97 SigningCertificate : {48, 130, 3, 212...} ReminderDuration : 90 ErrorCode : 0 CSPName : Microsoft Software Key Storage Provider KeySpec : 0 ProviderCLSID : {4956d17f-88fd-4198-b287-1e6e65883b19} ProviderProperties : {BaseCrl, 48 130 2 119 48 130 1 95 2 1 1 48 13 6 9 42 134 72 134 247 13 1 1 11 5 0 48 71 4 9 19 48 17 6 10 9 146 38 137 147 242 44 100 1 25 22 3 99 111 109 49 23 48 21 6 10 9 146 38 137 147 242 44 100 1 25 22 7 99 111 110 116 111 115 111 49 23 48 21 6 3 85 4 3 19 14 99 1 11 110 116 111 115 111 45 68 67 50 45 67 65 23 13 49 52 48 51 50 49 48 57 48 55 48 57 90 2 3 13 49 52 48 51 50 56 49 48 50 55 48 57 90 48 58 48 27 2 10 32 26 29 24 0 2 0 0 1 129 23 13 49 48 49 50 50 52 49 56 48 49 48 48 90 48 27 2 10 31 211 64 105 0 2 0 0 1 126 23 13 49 48 49 50 50 52 49 56 48 49 48 48 90 160 129 167 48 129 164 48 31 6 3 85 29 35 4 24 48 22 1 28 20 157 253 252 170 197 187 38 226 196 154 213 208 75 93 106 97 10 138 186 67 48 18 6 9 43 6 1 4 1 130 55 21 1 4 5 2 3 2 0 2 48 11 6 3 85 29 20 4 4 2 2 19 78 48 28 6 9 43 6 1 4 1 130 55 21 4 4 15 23 13 49 52 48 51 50 56 48 57 49 55 48 57 90 48 66 6 3 85 29 46 4 59 48 57 48 55 160 53 160 51 134 49 104 116 116 112 58 47 47 119 119 119 46 99 111 110 116 111 1 15 111 46 99 111 109 47 112 107 105 47 99 111 110 116 111 115 111 45 68 67 50 45 67 65 40 50 41 43 46 99 114 108 48 13 6 9 42 134 72 134 247 13 1 1 11 5 0 3 130 1 1 0 90 149 112 17 6 149 222 13 149 122 162 111 228 95 183 147 194 213 36 219 162 168 115 81 67 14 54 43 185 170 87 217 191 168 222 33 23 191 88 28 234 133 75 204 250 6 146 90 152 232 48 176 143 3 24 2 81 143 158 19 125 215 122 12 174 239 96 41 186 156 139 130 173 221 57 155 121 39 214 208 161 134 233 44 162 167 113 149 242 68 25 237 214 55 158 5 57 71 35 233 133 57 198 235 143 45 242 73 222 178 172 63 142 180 116 106 201 224 161 155 193 33 77 88 180 178 10 185 22 1 180 59 103 149 9 36 49 166 33 33 32 62 141 229 119 133 23 65 31 239 119 157 219 224 147 2 3 129 198 120 56 237 103 206 95 52 190 167 23 183 123 152 48 189 68 113 253 64 210 53 241 166 176 170 250 159 77 64 245 249 93 174 154 20 246 237 156 154 230 204 114 86 114 253 184 119 76 218 79 76 16 194 229 224 138 26 64 227 71 214 188 174 74 174 56 87 244 172 184 84 238 84 10 161 236 195 142 73 0 85 66 57 105 132 184 209 211 82 150 202 233 182 32 185 68 1 87 89 58 215, BaseCrlUrls, http://www.contoso.com/pki/contoso-DC2-CA(2).crl...} Modified : False LocalRevocationInformation : SigningCertificateTemplate : CAConfig : PS C:\>
Here we see a single revocation configuration and it’s settings. Although, they are self-explanatory, here is a brief description of each property:
Ok, we just got a brief observation of how to use COM interfaces to retrieve information about OCSP server configuration and contained revocation configurations. In the next post we will create and add a new revocation configuration to the OCSP server directly from PowerShell. Stay tuned.
Post your comment:
Comments: