Hi, S-1-1-0!

Finally I have finished another PowerShell PKI module release. This is not a significant release, but is quite improved. During module usage (I'm using certutil.exe less an less) I found some bugs in the previous release. Now they are fixed (at least those that were reported). The most significant change is in a new functionality. There are 3 set of cmdlets to manage the following CA settings:

Interface settings

Enrollment (ICertRequest3) and management (ICertAdmin2) interface management consist of four cmdlets:

First cmdlet is used to retrieve existing interface settings. Enable/Disable-InterfaceFlag is used to enable or disable particular interface flag. Restore-InterfaceFlagDefault is used to restore default settings. This is useful if you have misconfigured interfaces and you cannot operate with your PKI in a normal way.

Key Recovery Agent (KRA) settings

KRA settings are used to configure CA behavior during key archival process. For example you can enable key archival for keys that were signed by 3rd party CA. By default, Windows CA denies archival request for those keys. Or you can prevent key verification during key archival. By default, Windows CA checks keys to be archived, whether they are suitable. CA just encrypts random data with one key (public or private) and tries to decrypt the data by using second key (private or public). This flag (SaveBadRequestKey) can be useful if incoming request uses custom CSP that is not installed on CA server. Everything depends on final tasks. KRA setting management consist of four cmdlets:

The meaning of these cmdlets is the same as for interface settings — retrieve, enable/disable and restore default flags. For quick-typing purposes, I've added short aliases to call these commands.

CRL settings

CRL settings determine CA server behavior during CRL publishing (when CA constructs new CRL) or certificate validation. There are a lot of settings, you can find them here. As previous settings, CRL setting management consist of four cmdlets:

For quick-typing purposes, I've added short aliases to call these commands.

Other cmdlets

Also I've added several helper cmdlets:

Future plans

In the future release I'm planning to add CA role installation (implies default CA installation UI wizard), extend *-ExtensionList cmdlet to include mandatory extensions to publish in issued certificates and certificate template ACL management. I would love to implement new functionality, but due of the lack of time, I can't. Therefore I can't tell you when you can expect next release, but I'll try till this year.

>> PS PKI Module v0.9.2 <<

Share this article:


Post your comment:

Please, solve this little equation and enter result below. Captcha