I’m glad to announce another version of PowerShell PKI module release.

What’s new?

This release includes major internal code changes with new functionality.

• Code reorganization

At first, I completely separated Abstract Syntax Notation (ASN.1) code from main library to a dedicated DLL: SysadminsLV.Asn1Parser.dll. As I mentioned in one of previous posts, PKI.Core.dll and ASN parser are opensourced on GitHub: pkix.net and Asn1DerParser.NET.

Documentation for APIs in the PKI.Core.dll is here: PKI Library documentation. Documentation for ASN parser is pending.

• New module documentation

As you may know, I moved all module documentation to dedicated directory on my web site: PowerShell PKI Module. All wiki docs on CodePlex are deprecated and deleted. Though, for compatibility purposes, pages themselves are not wiped, instead, they store URLs to new doc pages.

Despite the fact that documentation was moved from CodePlex, all releases, discussions and issue tracker are still on CodePlex and I don’t have plans to move them in near time.

New X.509 certificate extension classes

Added managed implementation of the following X.509 extensions:

• X509ApplicationPolicyConstraintsExtension Class
• X509ApplicationPolicyMappingsExtension Class
• X509AuthorityKeyIdentifierExtension Class
• X509CertificatePolicyConstraintsExtension Class
• X509CertificatePolicyMappingsExtension Class
• X509CrossCertificateDistributionPointsExtension Class
• X509NameConstraintsExtension Class

Now, you can use them to encode/decode these extension in managed way.

Existing changes and improvements

I have deprecated two old functions that used to enumerate cryptographic service providers: Get-CryptographicServiceProviderEx and Get-CryptographicServiceProviderCNG. They are replaced by a unified command Get-CryptographicServiceProvider which supports all provider types, including CSP and modern, key storage providers.

Convert-PfxToPem

Based on feature requests in this working item: https://pspki.codeplex.com/workitem/91, I added the ‘-IncludeChain’ switch parameter to Convert-PfxToPem command, which exports all available intermediate certificates to PEM file.

Convert-PemToPfx

Again, based on feature request, I reworked the command in the following way:

• get rid of Certutil and using completely managed way to associate PKCS#1/PKCS#8 key with X.509 certificate
• Added an ability to provide key description information, including CSP where to load the key, key spec.
• Added an ability to install converted certificate to local certificate store without saving intermediate PFX file. Now, it is possible to install the certificate to certificate store, export to PFX file or do both.

OCSP

After private discussions with Windows PKI Team I realized that my managed OCSP client doesn’t behave correctly and in most cases produce different results comparing with OCSP implementation in Windows CryptoAPI. The biggest problem there was network method. By default, Windows OCSP client sends HTTP GET request to OCSP server. If the request was unsuccessful and server returned either, HTTP404 or HTTP405, a HTTP POST is attempted. If server returned any other HTTP error, the code doesn’t fallback to HTTP POST and immediately reports that OCSP server is non-functional.

In addition, I made OCSPRequest class more flexible and powerful.

At first, I get rid of 8(!) very similar constructors and ended up with only 4 different constructors. Previously, the code retrieved issuer information by building the certificate chain and failed if chain cannot be constructed. Now it is possible to construct the OCSP request by using OCSPRequest(X509Certificate2Collection, X509Certificate2) constructor, where you can pass issuer certificate explicitly, as the result you can work with certificates whose chain is unavailable at the moment. I updated all related classes to support explicit issuer information: CertID, OCSPSingleRequest and OCSPRequest classes.

To achieve request configuration, almost all class properties are now read-write. Sometimes I receive reports that customer’s OCSP server is behind proxy, requires authentication, and so on, I decided to add this functionality in the class. Now you can specify/override:

• OCSP server URL;
• Proxy settings for network connection;
• Authenticate on OCSP server by using Basic Authentication;
• Digitally sign OCSP request (although defined in RFC, I’m not aware about any server that would support this);
• Specify preferred signature algorithm that server shall use when signing response (supported in RFC6960).

Bug fixes

As always, I’m trying to make the module more stable and constantly working on bug fixes. The following working items/bugs are fixed/closed:

• Cannot convert value "ca.example.com" to type "PKI.CertificateServices.CertificateAuthority"
• Running convert-pfxtopem command identical to get-help -examples and failing to work
• Unable to convert pfx to pem
• Get-CertificateRevocationList fails when given a relative path to a CRL file
• Register-ObjectIdentifier FIPS error
• Get-EnterprisePKIHealthStatus Error
• CRL revocation check bug
• Appear to be an error with Get-CertificateTemplate when the DisplayName of the Template include / character
• Import-Module errors with Types on remote share

Download

And here is the download link for PowerShell PKI Module v3.2.5: PowerShell PKI Module v3.2.5