Reached milestone

At first, I want to announce an important notice about this release. This release is the latest release that is compiled (underlying API in PKI.Core.dll) under .NET Framework 2.0. Next release will require .NET Framework 4.0, because I want to get rid of some internal helpers and replace them with LINQ expressions, also I’d like to utilize new features in .NET 4.0 itself.

In addition, this release is the latest release that respects certification authorities that run on Windows Server 2003-based computers. New commands (which will be added in future releases) will not guarantee Windows Server 2003 support.

Existing changes

The following changes are made in existing commands (without breaking their behavior or syntax):

Added enrollment policy server endpoint in Submit-CertificateRequest and Receive-Certificate commands

These commands now supports EnrollmentPolicyServer parameter which accepts enrollment policy service endpoint object (Get-EnrollmentPolicyServerClient). This means that you can submit certificate requests and retrieve issued certificates from CA server by contacting it via DCOM or XML over HTTPS protocols.

Added Group parameter to Get-ObjectIdentifierEx command

Group parameter can be used when you want to retrieve an object identifier from a specified OID group. If no group specified, or AllGroups is specified, the command will search a requested identifier in all groups.

Get-ObjectIdentifierEx, Register-ObjectIdentifier and Unregister-ObjectIdentifier now returns unified object class Oid2 which is an extension of Oid class.

I completely finished Oid2 extension class and moved extended OID operations to this class. Now, Get-ObjectIdentifierEx, Register-ObjectIdentifier and Unregister-ObjectIdentifier now returns unified object class Oid2. In addition, Unregister-ObjectIdentifier as input object accepts Oid2 object instead of stub OidInfo parameter.

Added Online switch parameter to Start-PsFCIV

As per customer requests I added Online switch to Start-PsFCIV which calculates hashes and outputs them to the console. This switch doesn’t use XML database, it just calculates hashes and outputs them. In addition, I significantly updated the code that is related to XML routine. Now XML routine is moved to a .NET serializer/deserializer. Also, I’m using List<T> collections to store XML database for performance reasons.

Major ASN.1 processor code update

I upgraded ASN.1 parser code to meet my internal project requirements. But now it is adopted to easily build ASN.1 trees.

The following bugs are addressed/fixed:

As per customer requests I added support to run the module in remote sessions. However, the caller is responsible for proper credential delegation. That is, the caller has to enable credential delegation on remote server, or use CredSSP to transfer existing credentials to remote server. I will not support any issues caused by “AccessDenied” errors in remote sessions.

New commands

Get-CryptographicServiceProviderEx

Previously I used two commands to enumerate installed CSPs, one for legacy CSPs (CAPI1) and one for CNG CSPs. New command merges both commands, also it moves away from unmanaged functions to CertEnroll COM interfaces. Therefore, Get-CryptographicServiceProvider and Get-CryptographicServiceProviderCNG are considered as deprecated and not recommended for use (although, they remain for compatibility purposes).

Get-IssuedCRL

This command is used to retrieve issued CRLs and their details from CA database. While CRL files are overwritten each time they published, they are stored in the CA database, so you can get any specific CRL issued started from CA server installation. Another purpose is to use it for CA database cleanup (not yet implemented). If your CA works for many years and issued a lot of large CRLs, you can reduce CA database size by removing old CRLs from database along with unnecessary certificates/requests from main table.

These commands are intended to manage encryption and hashing algorithm used by CA server during certificate and CRL signing. When you call Get-CACryptographyConfig command, you will see the following:

PS C:\> get-ca dc2* | Get-CACryptographyConfig


Name                        : contoso-DC2-CA
DisplayName                 : contoso-DC2-CA
ComputerName                : dc2.contoso.com
PublicKeyAlgorithm          : 1.2.840.113549.1.1.1 (RSA)
HashingAlgorithm            : 2.16.840.1.101.3.4.2.1 (sha256)
ProviderName                : Microsoft Software Key Storage Provider
AlternateSignatureAlgorithm : False
ProviderIsCNG               : True
IsModified                  : False



PS C:\>

when necessary, you can change the following properties:

for example, you can change HashingAlgorithm property to change signature algorithm. Many companies are moving to SHA2 algorithm suite, so you just provide new algorithm name (or algorithm OID) and pass the object to Set-CACryptographyConfig command to save changes. Remember that CA service must be restarted to immediately use new changes. This can be accomplished by using –RestartCA switch. The rest properties are read-only.

Roadmap

I have the following plans in the module expansion:

Move the code to .NET Framework 4.0;
provide cmdlets for SMTP Exit Module management;
provide cmdlets for Online Responder management;
work on existing functionality aligning.

Now I’m switching to PS Cmdlet Help Editor enhancement. I already reworked UI design (moving from fixed-length controls to dynamically expandable, so editor fields takes all available space on screen) in the private build. The following things are added to roadmap:

Provide CodePlex API support to upload help file information to CodePlex automatically;
Provide BB-code support for HTML rendering. That is, you will be able to provide additional HTML formatting for HTML output. BB-codes won’t be rendered in the XML help file.

And, as usually:

>> PowerShell PKI Module v2.8 <<

Comments:

Chipeater • 12.02.2014 06:47 (GMT+3) • PowerShell PKI module v2.8 released!

Hi Vadims. Looking forward to trying out the updates. Simplifying retrieval of old CRLs with Get-IssuedCRL is going to be very useful for me. Thanks for your efforts. SMTP exit module management would be a great idea - the current method for configuring is rather "crude". One enhancement suggestion would be something to better handle certificate reporting... so that we don't have to rely upon the bit flaky certutil -view -restrict ? Anyway, thanks again.

Vadims Podans • 12.02.2014 16:21 (GMT+3) • PowerShell PKI module v2.8 released!

> One enhancement suggestion would be something to better handle certificate reporting... so that we don't have to rely upon the bit flaky certutil -view -restrict ? what do you mean? Can you provide any example? And, please, post all your suggestions on CodePlex.

Miguel • 05.03.2018 20:11 (GMT+3) • PowerShell PKI module v2.8 released!

Hi Vadims, what exactly is AlternateSignatureAlgorithm for?

Vadims Podāns • 05.03.2018 20:27 (GMT+3) • PowerShell PKI module v2.8 released!

It controls the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) in signature. When set, CA will use this signature scheme, otherwise -- not. Due to compatibility issues with 3rd party software, it is not recommended to use this scheme.

Post your comment: