Hi, S-1-1-0!

Finally I have finished another PowerShell PKI module release. This is not a significant release, but is quite improved. During module usage (I'm using certutil.exe less an less) I found some bugs in the previous release. Now they are fixed (at least those that were reported). The most significant change is in a new functionality. There are 3 set of cmdlets to manage the following CA settings:

Interface settings

Enrollment (ICertRequest3) and management (ICertAdmin2) interface management consist of four cmdlets:

• Get-InterfaceFlag
• Enable-InterfaceFlag
• Disable-InterfaceFlag
• Restore-InterfaceFlagDefault

First cmdlet is used to retrieve existing interface settings. Enable/Disable-InterfaceFlag is used to enable or disable particular interface flag. Restore-InterfaceFlagDefault is used to restore default settings. This is useful if you have misconfigured interfaces and you cannot operate with your PKI in a normal way.

Key Recovery Agent (KRA) settings

KRA settings are used to configure CA behavior during key archival process. For example you can enable key archival for keys that were signed by 3rd party CA. By default, Windows CA denies archival request for those keys. Or you can prevent key verification during key archival. By default, Windows CA checks keys to be archived, whether they are suitable. CA just encrypts random data with one key (public or private) and tries to decrypt the data by using second key (private or public). This flag (SaveBadRequestKey) can be useful if incoming request uses custom CSP that is not installed on CA server. Everything depends on final tasks. KRA setting management consist of four cmdlets:

• Get-KeyRecoveryAgentFlag
• Enable-KeyRecoveryAgentFlag
• Disable-KeyRecoveryAgentFlag
• Restore-KeyRecoveryAgentFlagDefault

The meaning of these cmdlets is the same as for interface settings — retrieve, enable/disable and restore default flags. For quick-typing purposes, I've added short aliases to call these commands.

CRL settings

CRL settings determine CA server behavior during CRL publishing (when CA constructs new CRL) or certificate validation. There are a lot of settings, you can find them here. As previous settings, CRL setting management consist of four cmdlets:

• Get-CertificateRevocationListFlag
• Enable-CertificateRevocationListFlag
• Disable-CertificateRevocationListFlag
• Restore-CertificateRevocationListFlagDefault

For quick-typing purposes, I've added short aliases to call these commands.

Other cmdlets

Also I've added several helper cmdlets:

• Get-ErrorMessage — converts Win32 error codes do a human-readable text messages. Details are here: Retrieve text messages for Win32 errors
• Get-CryptographicServiceProviderCNG — retrieves CNG crypto providers that implements key storage provider and CNG algorithms. Read this article for details: Get registered CNG CSPs on the system
• Show-CertificateRevocationList — just displays CRL object in a UI window.

Future plans

In the future release I'm planning to add CA role installation (implies default CA installation UI wizard), extend *-ExtensionList cmdlet to include mandatory extensions to publish in issued certificates and certificate template ACL management. I would love to implement new functionality, but due of the lack of time, I can't. Therefore I can't tell you when you can expect next release, but I'll try till this year.

>> PS PKI Module v0.9.2 <<