Hello again! Sorry for issues accessing my blog, there was some problems with hosting provider. Now all is fixed (I believe it).

Probably you don't know (but is known for my Russian's blog readers) but I spent a lot of time to automate certain common PKI tasks with Windows PowerShell, the best automation tool. I've started this project about 2 years ago. Since that time I've deeply dived to PKI with some good experience in PowerShell (I already was PS MVP). And this blog contains several PKI automation examples that are included in my new project (and will be included in future). The most reasonable thing why I had started this project was certutil. Even if this is very powerful tool, but not optimized for scripting and automation scenarios. This is because it is necessary to parse complex command's output. Also certutil lacks in command help. Command switches are not user-friendly and mostly don't provide extended help information and usage examples. The biggest PowerShell advantage is pipeline. This allows you to collect certain data, modify it as necessary and pass to another command with a single line. For example, you have implemented OCSP responder for your Enterprise CAs and need to configure them to include OCSP URL to issued certificates AIA extension. There are 2 choices:

  1. Manually configure new URLs in Certification Authority MMC snap-in for each CA;
  2. Retrieve by certutil (or directly modify corresponding registry key) existing AIA locations, edit them in notepad, compose them to a correct format and pass them to another certutil command. To apply these changes you need to restart CA service (not server).

But what about a command (actually sequence of a command) like this:

Get-CertificationAuthority | Get-AIA | Add-AIA –URI "32:http://ocsp.adatum.com" | Set-AIA –RestartCA

Even if command name is quite long, you may use tab completion, when you type part of desired command and PowerShell will automatically complete it by pressing Tab key. This command is well structured and you understand what exactly happens: retrieves CA server object, extracts existing AIA extension settings, adds new one and writes back to a CA configuration. Pipeline allows you to process many objects at a time. In a given example, you will add new OCSP URL to *all* Enterprise CA servers (it is common when single OCSP or OCSP cluster hosts service for multiple CA servers). But it is possible to specify particular CA server (use self-explanatory parameters: –ComputerName or –CAName). As '-RestartCA' switch is specified, the command will automatically restart CA services on processed CA servers.

Certutil certainly is not easy to manage remote servers, because you always need to specify full configuration string (CAComputerName\CAName). This is a way, but impractical. As a part of my module features I'm trying to provide less-typing solution. As the result you don't need to remember your CA's configuration strings or copy/paste for each certutil usage.

And now I'm ready to present you my first PowerShell PKI module that contains command for the most common CA server management tasks that is published on codeplex:

>> Public Key Infrastructure PowerShell module <<

Share this article:


Unknown Identity

Hello Vadim thank you for the great module. I'd started the same, but did not advance that far. I allowed myself to copy some functions into my module and found (until know), one little "bug" in function Get-RequestRow. When you add NoteProperties, you are checking if the certificateTemplate attribute contains an OID to convert it to a friendly name. The issue is, that the attribute does not yet exist and therefore an error is thrown. I changed lines 79 to 81 from: if ($Cert.CertificateTemplate -match "^(\d\.){3}") { $cert.CertificateTemplate = ([Security.Cryptography.Oid]$Column.GetValue(1)).FriendlyName } TO if ( $current -eq "CertificateTemplate" ) { if ( $cert.CertificateTemplate -match "^(\d\.){3}" ) { $cert.CertificateTemplate = ([Security.Cryptography.Oid]$Column.GetValue(1)).FriendlyName } } patrick -at- sczepanski -dot- com

Unknown Identity

PowerShell must not trow exception for non-existent properties, unless you try to assign a value for this property. As the result if property does not exist, IF statement returns False and do not process this scriptoblock.

Post your comment:

Please, solve this little equation and enter result below. Captcha