Hello S-1-1-0!

After three months since PSPKI module v3.2.5 was released I received a number of unfortunate bugs (which weren’t tested very well from my side) and other issues. So I decided to address them while I have some spare time. In addition, I made an attempt to provide new functionality I really missed in the module.

This release is intended to make the module more stable and less buggy. In some aspects it become faster.

Bug Fixes

I have fixed a number of private bugs (found by myself) and publically reported bugs:

For detailed change logs and privately reported issues see:

New Functionality

I had a dream about certificate context properties for X.509 certificates which are available when certificate is installed in the certificate store. There were various problems in this functionality implementation. At first, there are a lot of properties and most of them have different formats. Eventually I decided to give a try and wrote several classes, extension methods and PowerShell function that would support at least common and well-known properties:

X509Certificate2 class extension methods:

And central class: X509CertificateContextProperty. Check online help documentation for details.

All these classes and methods are wrapped in the Get-CertificateContextProperty PowerShell function which is added to PSPKI module. Currently, this function returns single or a collection of X509CertificateContextProperty objects for each certificate. Each property object contains a reference to a certificate.

For example, retrieve a list of available certificate context properties:

PS C:\> $cert = (dir Cert:\LocalMachine\My)[8]
PS C:\> $cert | Get-CertificateContextProperty -NameList
PS C:\>

And retrieve all properties with their values:

PS C:\> $cert | Get-CertificateContextProperty

Certificate                                    PropertyName PropertyValue                 UnderlyingType
-----------                                    ------------ -------------                 --------------
[Subject]...                       RequestOriginatorMachine hq-s-sql.sysadmins.lv         System.String
[Subject]...                              CEPEnrollmentInfo ...                           System.Security.Cryptograp...
[Subject]...                                   ProviderInfo PKI.Structs.Wincrypt+CRYPT... PKI.Structs.Wincrypt+CRYPT...
[Subject]...                         IssuerPublicKeyMD5Hash c2 ba 59 89 4d 65 55 f3 72... System.String
[Subject]...                                PublicKeyLength 2048                          System.Int32
[Subject]...                          SuibjectKeyIdentifier 21 59 3f 73 79 a1 dd 71 67... System.String
[Subject]...                                  SignatureHash 89 5c 32 16 99 0a 44 77 67... System.String
[Subject]...                                        MD5Hash 3f d8 85 67 d7 b5 95 e4 18... System.String
[Subject]...                               PublicKeyMD5Hash f1 db 40 9f e8 a5 d2 ce 70... System.String
[Subject]...                                       SHA1Hash 08 7c 98 52 d1 86 3e 69 55... System.String
[Subject]...                                OcspCachePrefix D1DF52D504A99E8E7503513713... System.String

PS C:\>

The output doesn’t look pretty good, but already provides useful information. For example, we can see that originally this certificate was requested from “hq-s-sql.sysadmins.lv” machine (RequestOriginatorMachine property). CEPEnrollmentInfo property indicates that the certificate was requested by using ADCS Enrollment Web Services. We can read some information about certificate enrollment details:

PS C:\> ($cert | Get-CertificateContextProperty -PropertyName CEPEnrollmentInfo).PropertyValue

Version                         : 1
PolicyServerUrl                 : https://hq-s-pkix.sysadmins.lv/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
PolicyServerUrlFlags            : None
PolicyServerAuthentication      : Kerberos
PolicyId                        : {F29AC102-CDCD-4AA8-B1F5-761051FB52C5}
EnrollmentServerUrl             : https://hq-s-pkix.sysadmins.lv/Sysadmins LV Internal Class 1 SubCA-1_CES_Kerberos/ser
EnrollmentyServerAuthentication : Kerberos
RequestID                       : 785

PS C:\>

We can see detailed information about policy and enrollment server URLs, policy ID, authentication methods for each service and request ID.

In similar ways you can read other properties. For example, some trusted root CA certificates are restricted to allow only specific enhanced key usages for subsequent certificates:

PS C:\> $cert = gi Cert:\LocalMachine\Root\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
PS C:\> $cert

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

PS C:\> $cert | Get-CertificateContextProperty -NameList
PS C:\> ($cert | Get-CertificateContextProperty -PropertyName EnhancedKeyUsage).PropertyValue

EnhancedKeyUsages                                  Critical Oid                           RawData
-----------------                                  -------- ---                           -------
{Server Authentication, Cl...                         False (Enhanced Key Us... {48, 50, 6, 8...}

PS C:\> (($cert | Get-CertificateContextProperty -PropertyName EnhancedKeyUsage).PropertyValue).EnhancedKeyUsages

Value                                                       FriendlyName
-----                                                       ------------                                           Server Authentication                                           Client Authentication                                           Secure Email                                           Code Signing                                           Time Stamping

PS C:\>

We see that this particular root CA is limited only to specified key usages. In addition, there is RootProgramCertificatePolicies property. This property contains certificate policies for Extended Validation (EV) SSL certificate issuance:

PS C:\> (($cert | Get-CertificateContextProperty -PropertyName RootProgramCertificatePolicies).PropertyValue).Format(1)
[1]Certificate Policy:
     Policy Identifier=2.16.840.1.114412.2.1
     [1,1]Policy Qualifier Info:
          Policy Qualifier Id=
               03 02 00 c0

PS C:\>

I’m using Format() method for quick textual representation of the property object that displays policy information. But you still can manually decode this information by digging into underlying object which is of X509CertificatePoliciesExtension class:

PS C:\> ($cert | Get-CertificateContextProperty -PropertyName RootProgramCertificatePolicies).UnderlyingType.FullName
PS C:\>

I made a lot of efforts to make the property object more discoverable in an automated way. That is, context property object contains all required information about the property:

  • Property name;
  • Underlying type of the property value;
  • Property value;
  • Associated certificate

I hope you find this feature useful for you.

This is “preview” version of Get-CertificateContextProperty command. I have to admit that the design is not the best, so I would like to hear your suggestions on how I should compose properties to support better display in PowerShell console and class management.

Comment policy on PSPKI documentation

Each page on PowerShell PKI Module site directory is open for comments. However, I noticed that some users misuse comments there, so I would like to clarify comment policy. Comments are intended to help and improve documentation, point to bugs, typos incomplete and unclear information. Once I fix the issue, the comment will be deleted.

Related things: ASN.1

In previous release, I removed PKI.ASN namespace from PKI.Core.dll library, because ASN classes are used in other projects, so I moved them to dedicated project. I’m continuing to develop and improve my ASN.1 library and its documentation (for parts that are working right now and are extensively used by PSPKI module) is published online: http://pkix2.sysadmins.lv/asn1parser-docs/html/R_Project_Documentation.htm. I will post more information about this library in future posts.


>> PowerShell PKI Module v3.2.6 <<

Share this article:





I tried to run the remove-databaserow and received that error: "WARNING: Non-request or non-CRL table row removal is not supported." .  But the thing is that we have a CA  in our lab environment that is an exact copy of our prod one and it work in LAB....  Do you have any Idea ?


Thank you 


Hello Vadims,

This version of PSPKI module doesn't work with an ADCS server under Windows Server 2016.

Do you plan to release a new version that is compatible with Windows Server 2016?

Thanks in advance.

Vadims Podāns

Yes, once I move to PowerShell gallery, I will update the module.

Post your comment:

Please, solve this little equation and enter result below. Captcha