Sysadmins LV
Vadims Podāns
Vadims Podāns
  • I work at
PKI Solutions
Microsoft Most Valuable Professional: Windows PowerShell
Protected by Copyscape DMCA Takedown Notice Search Tool

PS PKI v1.8 is released!

Hi S-1-1-0! Today I've released a new version of my PowerShell PKI module.

New commands

Unlike previous versions, this version do not introduce any new commands.

Existing code changes

Instead, I take a time to make the module more consistent. As a part of this work I revisited all help topics. Now all help content is more accurate and consistent. Also I've added additional examples (where I considered this as important) and clarified existing parts.

After discussions with Windows PKI team, I was forced to change the things in Add-ExtensionList and Remove-ExtensionList. CAExtension and UserExtension parameters were renamed to EnabledExtension and OfflineExtension respectively. Parameter descriptions can be found in built-in and online help topics. ExtensionList object properties are renamed accordingly to make them consistent with parameters.

After moving Get-CertificationAuthority code to C#, I decided to deprecate Get-EnrollmentServiceUri command (still exist in the module). Since returned object is included in CertificateAuthority object, there is no need in a separate command to read the property.

Also Get-CASchema command is the subject to retire in future module versions. This command functionality is now implemented as a instance method of CertificateAuthority object. I haven't decided the future of these 2 commands.

Get-CertificationAuthority behavior was changed to use ICertConfig COM interface to enumerate Enterprise CAs, rather than manually dump Active Directory information.

While moving existing objects to C# (with most read-only properties) I will add IsModified property (which gets Boolean) which indicates whether the object was changed. This is important for objects that requires CA service restart to make any effect. Therefore, if the property is set to False, then object write back is not performed. These objects will implement SetInfo() method that will write current object back to CA configuration. The method returns Boolean and indicates whether the write action was performed. If the method returns False, then there is no need (and the code will prevent this) to restart CA service, because nothing was changed.

A lot of bugs were fixed since v1.5 was released. This is the list of fixed bugs:

Also I was working with one customer who was able to repro the issue with DateTime formats in Get-Failed/Issued/Pending/Revoked requests as discussed here: http://pspki.codeplex.com/discussions/281033. After a research I found the difference, why it may not work even on the same machine. This is because DateTime in PowerShell may have 2 string formats — with culture formatting or without:

[↓] [vPodans] (Get-Date).ToString()
13.06.2012 19:46:50
[↓] [vPodans] "$(Get-Date)"
06/13/2012 19:47:05
[↓] [vPodans]

ToString() method uses culture-specific formatting, however when an expression is placed in double quotes, then date and time is not using culture-specific formatting (culture invariant) and which is what is placed in the –Filter parameter. This behavior is by default and is very handy. I wrote a little date/time converter which passes to ICertView COM interface correct object (and date/time regional settings doesn't matter).

Preparing to Windows Server 2012

I spent some time to provide Windows Server 2012 (RC) support (v1.5 doesn't work there as expected). Since now, the module can work on Windows Server 2012 and handle CAs installed on a new operating system. However there are few things which are need to be fixed. For example, Restore-* commands uses hardcoded default values to restore to default state. Windows Server 2012 default settings differs with the ones in Windows Server 2008 R2. Now I'm working on various operating system installations to get the right values for each of them. CertificateAuthority object will contain internal property (Version) which indicates the value of the Version entry. And Restore-* commands will refer to a special table which will indicate the right value for the specified operating system version.

Other stuff

Also I spent a time to develop other miscellaneous classes/tools. One of them is to create a generic (at least) ASN.1 parser. ASN.1 is a core syntax for almost all cryptography object. Unfortunately, ASN.1 is not the easiest syntax in the world. But I was successful here and this parser is used in many custom objects (as X509CRL2, X509CTL, X509CertificateRequest and so on). In addition, I wrote a set of classes that implement OCSP client tool. This is a standalone tool (it is not integrated with the system). By using these classes you can check your (or not your) Online Responder for configuration correctness and to identify unobvious misconfigurations which causes integrated OCSP client to fail. About OCSP classes and how to work with them I'll post next post (or posts).

Download PowerShell PKI Module v1.8 now!

Share this article:

Comments:

Post your comment:

Please, solve this little equation and enter result below. Captcha