Continuing the story, I would like to uncover some new features which are available with PSPKI v3.0. I started X.509 certificate revocation list (CRL) object factory development and already shipped basic features. These features are implemented via a set of methods. The main use case of these functions is OCSP server’s local revocation configuration. When you open revocation configuration properties, you will see Local CRL tab:

image

In this tab you can add revoked certificate entries which are not present in the CRL configured in the revocation provider. Internally, OCSP server maintains simple X.509 CRL object. Microsoft do not provide any ready tools to manage this list programmatically.

Ok, at first, we will explore the API to generate CRLs. As you may know, my module provides an X509CRL2 class that represents X.509 CRL object. Usually, you instantiate the object from existing CRL object. Now you can generate a very basic CRL. The following method call sequence must be used to generate new CRL:

1) invoke parameter-less constructor of X509CRL2 class;

2) use Set* methods to set properties, like ThisUpdate and NextUpdate fields and hashing algorithm.

3) use ImportCRLEntries method to import CRL entries you want to see in the CRL;

4) invoke Build method by passing signer certificate. Signer information will be populated in the Issuer field. If signing certificate has private key, the method will attempt to sign the CRL, otherwise, it will be only hashed. Method description provides information about it’s behavior.

Currently, only version 1 CRL is available through CRL factory. Version 2 CRL and Delta CRL support is scheduled in my roadmap. In addition, signing certificates which keys are stored in a key storage provider are not yet allowed for signing, because CNG signing is not yet completed, but I hope to have full CNG support in next PSPKI release.

Here is one code example that creates new CRL:

# instantiate X509CRL2 object via parameterless constructor.
$crl = New-Object System.Security.Cryptography.X509Certificates.X509CRL2
# set ThisUpdate field to current date/time
$crl.SetThisUpdate((Get-Date))
# set NextUpdate to 7 days after current date/time. For local CRL in OCSP server,
# you should set the date after CA certificate's expiration.
$crl.SetNextUpdate((Get-Date).AddDays(7))
# create and set Oid2 object that will represent signature algorithm
$oid2 = New-Object System.Security.Cryptography.Oid2 "1.3.14.3.2.26","signaturealgorithm",0
$crl.SetHashingAlgorithm($oid2)
# create CRL entry collection
$revcerts = New-Object System.Security.Cryptography.X509Certificates.X509CRLEntryCollection
# create and add CRL entries to a CRL. We pass $null to Revocation Date if we assume current time
# and 0 to revocation reason (unspecified).
$entry = New-Object System.Security.Cryptography.X509Certificates.X509CRLEntry "01",$null,0
[Void]$revcerts.Add($entry)
# assuming, certificate with serial number '02' was revoked 1 day ago
$entry = New-Object System.Security.Cryptography.X509Certificates.X509CRLEntry "02",$((Get-Date).AddDays(-1)),0
[Void]$revcerts.Add($entry)
$crl.ImportCRLEntries($revcerts)
# finalize CRL
$crl.Build($cert, $true)
PS C:\> $crl = New-Object System.Security.Cryptography.X509Certificates.X509CRL2
PS C:\> $crl.SetThisUpdate((Get-Date))
PS C:\> $crl.SetNextUpdate((Get-Date).AddDays(7))
PS C:\> $oid2 = New-Object System.Security.Cryptography.Oid2 "1.3.14.3.2.26","signaturealgorithm",0
PS C:\> $crl.SetHashingAlgorithm($oid2)
PS C:\> $revcerts = New-Object System.Security.Cryptography.X509Certificates.X509CRLEntryCollection
PS C:\> $entry = New-Object System.Security.Cryptography.X509Certificates.X509CRLEntry "01",$null,0
PS C:\> [Void]$revcerts.Add($entry)
PS C:\> $entry = New-Object System.Security.Cryptography.X509Certificates.X509CRLEntry "02",$((Get-Date).AddDays(-1)),0
PS C:\> [Void]$revcerts.Add($entry)
PS C:\> $crl.ImportCRLEntries($revcerts)
PS C:\> $crl.Build($cert, $true)
PS C:\> $crl


Version             : 1
Type                : Base CRL
IssuerDN            : System.Security.Cryptography.X509Certificates.X500DistinguishedName
Issuer              : CN=contoso-DC2-CA, DC=contoso, DC=com
ThisUpdate          : 2014.08.24. 23:13:54
NextUpdate          : 2014.08.31. 23:13:57
SignatureAlgorithm  : 1.3.14.3.2.26 (sha1NoSign)
Extensions          :
RevokedCertificates : {Serial number: 01 revoked at: 2014.08.24. 23:14:13, Serial number: 02 revoked at: 2014.08.23. 23
                      :14:18}
RawData             : {48, 129, 193, 48...}
Handle              : 491486800



PS C:\> $crl.RevokedCertificates

SerialNumber                  RevocationDate                                   ReasonCode ReasonMessage
------------                  --------------                                   ---------- -------------
01                            2014.08.24. 23:14:13                                      0 Unspecified
02                            2014.08.23. 23:14:18                                      0 Unspecified


PS C:\>

And here we go! We created new CRL.

Build method finalizes CRL object and after this call CRL factory methods on this object will fail.

How you would use this CRL in OCSP server?

PS C:\> $ocsp = New-Object -ComObject certadm.ocspadmin
PS C:\> $ocsp.GetConfiguration("dc2",$true)
PS C:\> $revconfig = $ocsp.OCSPCAConfigurationCollection.Item(1)
PS C:\> $revconfig


Identifier                 : Contoso-DC2-CA (v2.2)
CACertificate              : {48, 130, 4, 78...}
HashAlgorithm              : SHA1
SigningFlags               : 605
SigningCertificate         : {48, 130, 3, 212...}
ReminderDuration           : 90
ErrorCode                  : 0
CSPName                    : Microsoft Software Key Storage Provider
KeySpec                    : 0
ProviderCLSID              : {4956d17f-88fd-4198-b287-1e6e65883b19}
ProviderProperties         : {BaseCrl, 48 130 2 119 48 130 1 95 2 1 1 48 13 6 9 42 134 72 134 247 13 1 1 11 5 0 48 71 4
                             9 19 48 17 6 10 9 146 38 137 147 242 44 100 1 25 22 3 99 111 109 49 23 48 21 6 10 9 146 38
                              137 147 242 44 100 1 25 22 7 99 111 110 116 111 115 111 49 23 48 21 6 3 85 4 3 19 14 99 1
                             11 110 116 111 115 111 45 68 67 50 45 67 65 23 13 49 52 48 56 49 56 49 54 51 50 53 55 90 2
                             3 13 49 52 48 56 50 53 49 55 53 50 53 55 90 48 58 48 27 2 10 32 26 29 24 0 2 0 0 1 129 23
                             13 49 48 49 50 50 52 49 56 48 49 48 48 90 48 27 2 10 31 211 64 105 0 2 0 0 1 126 23 13 49
                             48 49 50 50 52 49 56 48 49 48 48 90 160 129 167 48 129 164 48 31 6 3 85 29 35 4 24 48 22 1
                             28 20 157 253 252 170 197 187 38 226 196 154 213 208 75 93 106 97 10 138 186 67 48 18 6 9
                             43 6 1 4 1 130 55 21 1 4 5 2 3 2 0 2 48 11 6 3 85 29 20 4 4 2 2 19 229 48 28 6 9 43 6 1 4
                             1 130 55 21 4 4 15 23 13 49 52 48 56 50 53 49 54 52 50 53 55 90 48 66 6 3 85 29 46 4 59 48
                              57 48 55 160 53 160 51 134 49 104 116 116 112 58 47 47 119 119 119 46 99 111 110 116 111
                             115 111 46 99 111 109 47 112 107 105 47 99 111 110 116 111 115 111 45 68 67 50 45 67 65 40
                              50 41 43 46 99 114 108 48 13 6 9 42 134 72 134 247 13 1 1 11 5 0 3 130 1 1 0 86 113 110 1
                             48 254 54 168 122 83 98 74 181 36 92 52 30 113 222 212 75 25 154 117 209 160 125 219 245 1
                             5 212 29 203 114 233 159 88 134 230 117 96 74 239 216 205 7 60 3 175 197 220 149 115 244 1
                             52 171 163 140 125 95 4 194 243 18 244 255 31 26 17 185 104 32 116 19 67 175 103 59 251 20
                              109 100 62 197 253 46 76 208 180 187 78 76 140 6 196 143 81 53 3 150 92 102 200 69 121 20
                             5 25 220 92 237 109 238 168 136 92 195 140 131 186 41 168 217 54 137 155 145 225 187 237 6
                             0 199 148 104 220 150 255 4 53 59 105 224 186 224 92 106 104 92 125 15 176 254 98 71 59 24
                             7 68 44 230 34 31 214 114 209 250 131 143 250 48 179 90 8 104 91 157 214 241 245 127 104 1
                             73 19 144 204 111 145 11 248 248 237 19 171 49 33 133 186 106 60 149 73 38 211 103 57 253
                             97 44 86 223 48 107 130 229 52 139 208 27 221 238 248 99 116 33 238 29 5 120 133 14 128 14
                             4 186 152 105 121 25 32 151 79 66 213 200 178 168 250 253 202 66 81 180 7 25 16 140 132 5
                             120 149, BaseCrlUrls, http://www.contoso.com/pki/contoso-DC2-CA(2).crl...}
Modified                   : False
LocalRevocationInformation :
SigningCertificateTemplate : OCSPResponseSigning
CAConfig                   : dc2.contoso.com\contoso-DC2-CA



PS C:\> $revconfig.LocalRevocationInformation = $crl.RawData
PS C:\> $ocsp.SetConfiguration("dc2",$true)
PS C:\> $revconfig


Identifier                 : Contoso-DC2-CA (v2.2)
CACertificate              : {48, 130, 4, 78...}
HashAlgorithm              : SHA1
SigningFlags               : 605
SigningCertificate         : {48, 130, 3, 212...}
ReminderDuration           : 90
ErrorCode                  : 0
CSPName                    : Microsoft Software Key Storage Provider
KeySpec                    : 0
ProviderCLSID              : {4956d17f-88fd-4198-b287-1e6e65883b19}
ProviderProperties         : {BaseCrl, 48 130 2 119 48 130 1 95 2 1 1 48 13 6 9 42 134 72 134 247 13 1 1 11 5 0 48 71 4
                             9 19 48 17 6 10 9 146 38 137 147 242 44 100 1 25 22 3 99 111 109 49 23 48 21 6 10 9 146 38
                              137 147 242 44 100 1 25 22 7 99 111 110 116 111 115 111 49 23 48 21 6 3 85 4 3 19 14 99 1
                             11 110 116 111 115 111 45 68 67 50 45 67 65 23 13 49 52 48 56 49 56 49 54 51 50 53 55 90 2
                             3 13 49 52 48 56 50 53 49 55 53 50 53 55 90 48 58 48 27 2 10 32 26 29 24 0 2 0 0 1 129 23
                             13 49 48 49 50 50 52 49 56 48 49 48 48 90 48 27 2 10 31 211 64 105 0 2 0 0 1 126 23 13 49
                             48 49 50 50 52 49 56 48 49 48 48 90 160 129 167 48 129 164 48 31 6 3 85 29 35 4 24 48 22 1
                             28 20 157 253 252 170 197 187 38 226 196 154 213 208 75 93 106 97 10 138 186 67 48 18 6 9
                             43 6 1 4 1 130 55 21 1 4 5 2 3 2 0 2 48 11 6 3 85 29 20 4 4 2 2 19 229 48 28 6 9 43 6 1 4
                             1 130 55 21 4 4 15 23 13 49 52 48 56 50 53 49 54 52 50 53 55 90 48 66 6 3 85 29 46 4 59 48
                              57 48 55 160 53 160 51 134 49 104 116 116 112 58 47 47 119 119 119 46 99 111 110 116 111
                             115 111 46 99 111 109 47 112 107 105 47 99 111 110 116 111 115 111 45 68 67 50 45 67 65 40
                              50 41 43 46 99 114 108 48 13 6 9 42 134 72 134 247 13 1 1 11 5 0 3 130 1 1 0 86 113 110 1
                             48 254 54 168 122 83 98 74 181 36 92 52 30 113 222 212 75 25 154 117 209 160 125 219 245 1
                             5 212 29 203 114 233 159 88 134 230 117 96 74 239 216 205 7 60 3 175 197 220 149 115 244 1
                             52 171 163 140 125 95 4 194 243 18 244 255 31 26 17 185 104 32 116 19 67 175 103 59 251 20
                              109 100 62 197 253 46 76 208 180 187 78 76 140 6 196 143 81 53 3 150 92 102 200 69 121 20
                             5 25 220 92 237 109 238 168 136 92 195 140 131 186 41 168 217 54 137 155 145 225 187 237 6
                             0 199 148 104 220 150 255 4 53 59 105 224 186 224 92 106 104 92 125 15 176 254 98 71 59 24
                             7 68 44 230 34 31 214 114 209 250 131 143 250 48 179 90 8 104 91 157 214 241 245 127 104 1
                             73 19 144 204 111 145 11 248 248 237 19 171 49 33 133 186 106 60 149 73 38 211 103 57 253
                             97 44 86 223 48 107 130 229 52 139 208 27 221 238 248 99 116 33 238 29 5 120 133 14 128 14
                             4 186 152 105 121 25 32 151 79 66 213 200 178 168 250 253 202 66 81 180 7 25 16 140 132 5
                             120 149, BaseCrlUrls, http://www.contoso.com/pki/contoso-DC2-CA(2).crl...}
Modified                   : False
LocalRevocationInformation : {48, 129, 193, 48...}
SigningCertificateTemplate : OCSPResponseSigning
CAConfig                   : dc2.contoso.com\contoso-DC2-CA



PS C:\>

I used OCSP COM interfaces to connect to OCSP server and retrieve OCSP configurations. There is a LocalRevocationInformation property which accepts CRL object for local CRL information. Basically we pass CRL’s raw byte array and save configuration. In the OCSP MMC snap-in, we can see changes:

image

Final word

I think, I covered all notable changes in PSPKI v3.0 release, so you will be able to efficiently manage your PKI infrastructure in a convenient managed way. There are a lot of changes, but still, there are a lot of work to move Windows PKI management from C++ to PowerShell and .NET. I would wish to have more hands to deliver new features faster. I can’t imagine a situation, when Microsoft delivers all this functionality in their products. It will kill me.

And yes, you can use DLLs to use all this functionality in your projects.


Share this article:

Comments:


Post your comment:

Please, solve this little equation and enter result below. Captcha