Hello S-1-1-0!
After three months since PSPKI module v3.2.5 was released I received a number of unfortunate bugs (which weren’t tested very well from my side) and other issues. So I decided to address them while I have some spare time. In addition, I made an attempt to provide new functionality I really missed in the module.
This release is intended to make the module more stable and less buggy. In some aspects it become faster.
I have fixed a number of private bugs (found by myself) and publically reported bugs:
For detailed change logs and privately reported issues see:
I had a dream about certificate context properties for X.509 certificates which are available when certificate is installed in the certificate store. There were various problems in this functionality implementation. At first, there are a lot of properties and most of them have different formats. Eventually I decided to give a try and wrote several classes, extension methods and PowerShell function that would support at least common and well-known properties:
X509Certificate2 class extension methods:
And central class: X509CertificateContextProperty. Check online help documentation for details.
All these classes and methods are wrapped in the Get-CertificateContextProperty PowerShell function which is added to PSPKI module. Currently, this function returns single or a collection of X509CertificateContextProperty objects for each certificate. Each property object contains a reference to a certificate.
For example, retrieve a list of available certificate context properties:
PS C:\> $cert = (dir Cert:\LocalMachine\My)[8] PS C:\> $cert | Get-CertificateContextProperty -NameList RequestOriginatorMachine CEPEnrollmentInfo ProviderInfo IssuerPublicKeyMD5Hash PublicKeyLength SuibjectKeyIdentifier SignatureHash MD5Hash PublicKeyMD5Hash SHA1Hash OcspCachePrefix PS C:\>
And retrieve all properties with their values:
PS C:\> $cert | Get-CertificateContextProperty Certificate PropertyName PropertyValue UnderlyingType ----------- ------------ ------------- -------------- [Subject]... RequestOriginatorMachine hq-s-sql.sysadmins.lv System.String [Subject]... CEPEnrollmentInfo ... System.Security.Cryptograp... [Subject]... ProviderInfo PKI.Structs.Wincrypt+CRYPT... PKI.Structs.Wincrypt+CRYPT... [Subject]... IssuerPublicKeyMD5Hash c2 ba 59 89 4d 65 55 f3 72... System.String [Subject]... PublicKeyLength 2048 System.Int32 [Subject]... SuibjectKeyIdentifier 21 59 3f 73 79 a1 dd 71 67... System.String [Subject]... SignatureHash 89 5c 32 16 99 0a 44 77 67... System.String [Subject]... MD5Hash 3f d8 85 67 d7 b5 95 e4 18... System.String [Subject]... PublicKeyMD5Hash f1 db 40 9f e8 a5 d2 ce 70... System.String [Subject]... SHA1Hash 08 7c 98 52 d1 86 3e 69 55... System.String [Subject]... OcspCachePrefix D1DF52D504A99E8E7503513713... System.String PS C:\>
The output doesn’t look pretty good, but already provides useful information. For example, we can see that originally this certificate was requested from “hq-s-sql.sysadmins.lv” machine (RequestOriginatorMachine
property). CEPEnrollmentInfo property indicates that the certificate was requested by using ADCS Enrollment Web Services. We can read some information about certificate enrollment details:
PS C:\> ($cert | Get-CertificateContextProperty -PropertyName CEPEnrollmentInfo).PropertyValue Version : 1 PolicyServerUrl : https://hq-s-pkix.sysadmins.lv/ADPolicyProvider_CEP_Kerberos/service.svc/CEP PolicyServerUrlFlags : None PolicyServerAuthentication : Kerberos PolicyId : {F29AC102-CDCD-4AA8-B1F5-761051FB52C5} EnrollmentServerUrl : https://hq-s-pkix.sysadmins.lv/Sysadmins LV Internal Class 1 SubCA-1_CES_Kerberos/ser vice.svc/CES EnrollmentyServerAuthentication : Kerberos RequestID : 785 PS C:\>
We can see detailed information about policy and enrollment server URLs, policy ID, authentication methods for each service and request ID.
In similar ways you can read other properties. For example, some trusted root CA certificates are restricted to allow only specific enhanced key usages for subsequent certificates:
PS C:\> $cert = gi Cert:\LocalMachine\Root\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 PS C:\> $cert Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root Thumbprint Subject ---------- ------- A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US PS C:\> $cert | Get-CertificateContextProperty -NameList PublicKeyLength RootProgramCertificatePolicies 98 SuibjectKeyIdentifier FriendlyName EnhancedKeyUsage SHA1Hash SignatureHash PublicKeyMD5Hash SubjectNameMD5Hash MD5Hash PS C:\> ($cert | Get-CertificateContextProperty -PropertyName EnhancedKeyUsage).PropertyValue EnhancedKeyUsages Critical Oid RawData ----------------- -------- --- ------- {Server Authentication, Cl... False 2.5.29.37 (Enhanced Key Us... {48, 50, 6, 8...} PS C:\> (($cert | Get-CertificateContextProperty -PropertyName EnhancedKeyUsage).PropertyValue).EnhancedKeyUsages Value FriendlyName ----- ------------ 1.3.6.1.5.5.7.3.1 Server Authentication 1.3.6.1.5.5.7.3.2 Client Authentication 1.3.6.1.5.5.7.3.4 Secure Email 1.3.6.1.5.5.7.3.3 Code Signing 1.3.6.1.5.5.7.3.8 Time Stamping PS C:\>
We see that this particular root CA is limited only to specified key usages. In addition, there is RootProgramCertificatePolicies
property. This property contains certificate policies for Extended Validation (EV) SSL certificate issuance:
PS C:\> (($cert | Get-CertificateContextProperty -PropertyName RootProgramCertificatePolicies).PropertyValue).Format(1) [1]Certificate Policy: Policy Identifier=2.16.840.1.114412.2.1 [1,1]Policy Qualifier Info: Policy Qualifier Id=1.3.6.1.4.1.311.60.1.1 Qualifier: 03 02 00 c0 PS C:\>
I’m using Format()
method for quick textual representation of the property object that displays policy information. But you still can manually decode this information by digging into underlying object which is of X509CertificatePoliciesExtension class:
PS C:\> ($cert | Get-CertificateContextProperty -PropertyName RootProgramCertificatePolicies).UnderlyingType.FullName System.Security.Cryptography.X509Certificates.X509CertificatePoliciesExtension PS C:\>
I made a lot of efforts to make the property object more discoverable in an automated way. That is, context property object contains all required information about the property:
I hope you find this feature useful for you.
This is “preview” version of Get-CertificateContextProperty command. I have to admit that the design is not the best, so I would like to hear your suggestions on how I should compose properties to support better display in PowerShell console and class management.
Each page on PowerShell PKI Module site directory is open for comments. However, I noticed that some users misuse comments there, so I would like to clarify comment policy. Comments are intended to help and improve documentation, point to bugs, typos incomplete and unclear information. Once I fix the issue, the comment will be deleted.
In previous release, I removed PKI.ASN namespace from PKI.Core.dll library, because ASN classes are used in other projects, so I moved them to dedicated project. I’m continuing to develop and improve my ASN.1 library and its documentation (for parts that are working right now and are extensively used by PSPKI module) is published online: http://pkix2.sysadmins.lv/asn1parser-docs/html/R_Project_Documentation.htm. I will post more information about this library in future posts.
>> PowerShell PKI Module v3.2.6 <<
Hello,
I tried to run the remove-databaserow and received that error: "WARNING: Non-request or non-CRL table row removal is not supported." . But the thing is that we have a CA in our lab environment that is an exact copy of our prod one and it work in LAB.... Do you have any Idea ?
Thank you
Hello Vadims,
This version of PSPKI module doesn't work with an ADCS server under Windows Server 2016.
Do you plan to release a new version that is compatible with Windows Server 2016?
Thanks in advance.
Yes, once I move to PowerShell gallery, I will update the module.
Post your comment:
Comments: