Welcome to Powergui.org - an open source community for Windows Powershell

PowerGUI.org PowerGUI.org and blogs
Main » PowerGUI Library » PowerPack Challenge » Document 2552
[2552] Enterprise PKI management    « Back to Category
Author: Vadims Podans, Created on: Nov 2, 2009 9:59 AM
Keywords: Certificates, Public Key Infrastructure
Categories: PowerPack Challenge, PowerGUI Library
Rating:



Prologue


At first I want to thanks Kirk Munro, who helped me with working in PowerGUI Admin console. It was a surprise for me, for scripting guy with 2 years experience with PowerGUI Script Editor :) Since this is my first experience with PowerGUI Admin console, it might be not so ideal, but it works :)


General part


Prerequisites:
to run this PowerPack you will need at least:

  1. PowerShell V2 installed;
  2. Windows Server 2003 or Windows XP with installed AdminPack (or Windows Vista with RSAT).

Right now, what this powerpack contain? It contains several management nodes for:

  1. Enterprise Certification Authority (CA) management;
  2. Local certificate store management;
  3. Online Certificate Status Protocol (OCSP) Responders.

Certification Authorities

Using Certification Authorities node you can do CA-related tasks, such review CRL Distribution Points (CDP)/Authority Information Access (AIA) settings, review CRLs and publish new ones. Also you can change CRL publishing periods including overlap settings. One of the most important features is CA folder browsing - Revoked Certificates, Issued Certificates, Pending requests, Failed requests and CA issued certificate templates. Using CryptoAPI managed interfaces, now you can revoke/unrevoke certificates, issue or deny pended requests for certificates, add/remove certificate templates to issue, etc.


Certificates

Using Certificates you can manage certificates in local stores. Following tasks are included:

  • Import/Export certificates using various certificate types (such CER/pkcs12/pkcs7/SST);
  • copy/move certificates between stores;
  • delete certificate from store;
  • validate certificates passing them through certificate chaining engine;
  • if you have signing certificate in Personal store improved file signing capabilites will be available for you.

OCSP Responders

Using OCSP Responders node you can review all specified OCSP Responder settings. In next releases I will add OCSP settings change capability.
Important: to manage OCSP Responders you will need at least one responder installed on any Enterprise CA and run script on at least Windows Server 2008 or Windows Vista with installed RSAT.


ScreenShots

You may review some screenshots for this PowerPack (original size images will be opened in new tab):



  • Certification Authorities node general view:




  • CA database 'Issued certificates' folder view:




  • OCSP responders general node:




  • OCSP revocation configuration view:




  • Certificates node view (available in LocalSystem PowerPack too):



Epilogue


if you are interested in this PowerPack and have resources to check it, please leave a feedback to allow me to make it more useful. You may request for some features (will be implemented as possible). If you found errors in behavior or in code — let me know about this. I have leaved some comments in code, so you can review and advice a better ways to solve these tasks.


Updated 05 November 2009

  • I have added new feature for CRL/CRT/OCSP Urls — priority change. If you need to change specified URL priority, just press Increase/Decrease URL priority button in View AIA/CDP paths sections. This is applicable for URLs that are published in the issued certificates extensions only.
  • Added URL to PowerPack, so you will be able to check it for updates


Updated 06 November 2009

  • Added Certification Authority name sanitization in CDP/AIA URLs;
  • Fixed template partial resolution from OID to CommonName in CA Folders view;
  • Fixed display value in Archived Key column in CA Folders view;
  • Added Date/Time picker for certificate revocation (when you call Revoke Certificate action) in Issued Certificates folder. Now you can select date and time when certificate will considered as revoked. By default current date and time is used.


Updated 12 November 2009 (version 0.0.0.25)

  • Updated CA name sanitization;
  • Fixd error in Add template to issue dialog window (there wrongly appears date picker);
  • Function scope changed from global to script-local and some functions was removed (combined with other that has similar purposes);
  • Minor changes to decrease memory consuming (in CA Folders view).


Updated 15 November 2009 (version 1.0.0.0)

  • Added code for View request link in CA Folders view to view request data in readable format. At this time this is single point where I don't use native PowerShell capabilities. This functionality is realized using certutil.exe utility. I need additional research to progrmmatically decode PKCS#10/CMC requests to readable format. I believe that I will be able to figure out this point;
  • Now I'm going to initial PowerPack release with version 1.0.0.0. All currently announced functionality is realized and works as expected. This doesn't mean that I will stop PowerPack developement. In future releases new features will be added, such 'Submit new request' form, Key Recovery Agent management, archived key recovery from CA database, etc. But this will be implemented in future releases. I hope you will find some interesting things in my PowerPack.
    Enjoy! Greetings!



As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP/Port usage, admin's automation tools, PowerShell and PowerGUI! © Flowering Weeds & Sysadmins LV

Document Rating
Rating:

Downloads
Click to download this attachment Enterprise PKI.powerpack (1,023.2 K)
Downloaded 1012 Times
Related Documents
No Related Documents


© 2010 Quest Software, Inc  |  Legal Agreement  |  Privacy Policy  |  Terms of Use  |  Report a Problem with This Site
Powered By Jive Software