Welcome to Powergui.org - an open source community for Windows Powershell

PowerGUI.org PowerGUI.org and blogs
Main » ... » PowerGUI Challenge » Archive - 2009 PowerPack Challenge Entries » Document 2552
[2552] Enterprise PKI management    « Back to Category
Author: Vadims Podans, Created on: Nov 2, 2009 9:59 AM
Keywords: Certificates, Public Key Infrastructure
Categories: Archive - 2009 PowerPack Challenge Entries, PowerGUI Library
Rating:



Prologue


At first I want to thanks Kirk Munro, who helped me with working in PowerGUI Admin console. It was a surprise for me, for scripting guy with 2 years experience with PowerGUI Script Editor :) Since this is my first experience with PowerGUI Admin console, it might be not so ideal, but it works :)


General part


Prerequisites:
to run this PowerPack you will need at least:

  1. PowerShell V2 installed;
  2. Windows Server 2003 or Windows XP with installed AdminPack (or Windows Vista with RSAT).
  3. Quest Active Directory cmdlets v1.4.2 or higher.
  4. PowerGUI Admin Console MUST be launched in STA (Single-Threaded Apartments). For additional info please refer to the followinf page: Admin Console FAQ

Right now, what this powerpack contain? It contains several management nodes for:

  1. Enterprise Certification Authority (CA) management;
  2. Local certificate store management;
  3. Online Certificate Status Protocol (OCSP) Responders.
  4. Active Directory PKI-related container management.

Certification Authorities

Using Certification Authorities node you can do CA-related tasks, such review CRL Distribution Points (CDP)/Authority Information Access (AIA) settings, review CRLs and publish new ones. Also you can change CRL publishing periods including overlap settings. One of the most important features is CA folder browsing - Revoked Certificates, Issued Certificates, Pending requests, Failed requests and CA issued certificate templates. Using CryptoAPI managed interfaces, now you can revoke/unrevoke certificates, issue or deny pended requests for certificates, add/remove certificate templates to issue, etc.


Certificates

Using Certificates you can manage certificates in local stores. Following tasks are included:

  • Import/Export certificates using various certificate types (such CER/pkcs12/pkcs7/SST);
  • copy/move certificates between stores;
  • delete certificate from store;
  • validate certificates passing them through certificate chaining engine;
  • if you have signing certificate in Personal store improved file signing capabilites will be available for you.

OCSP Responders

Using OCSP Responders node you can review all specified OCSP Responder settings. In next releases I will add OCSP settings change capability.
Important: to manage OCSP Responders you will need at least one responder installed on any Enterprise CA and run script on at least Windows Server 2008 or Windows Vista with installed RSAT.


ScreenShots

You may review some screenshots for this PowerPack (original size images will be opened in new tab):



  • Certification Authorities node general view:




  • CA database 'Issued certificates' folder view:




  • OCSP responders general node:




  • OCSP revocation configuration view:




  • Certificates node view:



Epilogue


if you are interested in this PowerPack and have resources to check it, please leave a feedback to allow me to make it more useful. You may request for some features (will be implemented as possible). If you found errors in behavior or in code — let me know about this. I have leaved some comments in code, so you can review and advice a better ways to solve these tasks.


Updated 05 November 2009

  • I have added new feature for CRL/CRT/OCSP Urls — priority change. If you need to change specified URL priority, just press Increase/Decrease URL priority button in View AIA/CDP paths sections. This is applicable for URLs that are published in the issued certificates extensions only.
  • Added URL to PowerPack, so you will be able to check it for updates


Updated 06 November 2009

  • Added Certification Authority name sanitization in CDP/AIA URLs;
  • Fixed template partial resolution from OID to CommonName in CA Folders view;
  • Fixed display value in Archived Key column in CA Folders view;
  • Added Date/Time picker for certificate revocation (when you call Revoke Certificate action) in Issued Certificates folder. Now you can select date and time when certificate will considered as revoked. By default current date and time is used.


Updated 12 November 2009 (version 0.0.0.25)

  • Updated CA name sanitization;
  • Fixd error in Add template to issue dialog window (there wrongly appears date picker);
  • Function scope changed from global to script-local and some functions was removed (combined with other that has similar purposes);
  • Minor changes to decrease memory consuming (in CA Folders view).


Updated 15 November 2009 (version 1.0.0.0)

  • Added code for View request link in CA Folders view to view request data in readable format. At this time this is single point where I don't use native PowerShell capabilities. This functionality is realized using certutil.exe utility. I need additional research to progrmmatically decode PKCS#10/CMC requests to readable format. I believe that I will be able to figure out this point;
  • Now I'm going to initial PowerPack release with version 1.0.0.0. All currently announced functionality is realized and works as expected. This doesn't mean that I will stop PowerPack developement. In future releases new features will be added, such 'Submit new request' form, Key Recovery Agent management, archived key recovery from CA database, etc. But this will be implemented in future releases. I hope you will find some interesting things in my PowerPack.
    Enjoy! Greetings!


Updated 01 September 2010 (version 1.5.0.0)

  • A lot of code now uses native Quest AD Cmdlets (version 1.4.2) so the PowerPack demonstrates new PKI cmdlets in action!
  • Added additional error handling.
  • In Certification Authorities node added properties that contains helpful information about CA CRL status. In addition there was revisited View CRL action and renamed to View CRL Info
  • Added Active Directory PKI node that contains the most common AD PKI-related containers. You will be able to review container contents and publish/unpublish certificates/CRLs by using new actions.
  • Changed Enterprise OCSP location behavior. Now the PowerPack realizes the same behavior as it is implemented in pkiview.msc MMC snap-in. Now the PowerPack correctly retrieves all available Enterprise OCSP Responders even if they are not running CA service
  • For Certificates node added two subcontainers (subnodes, as shown in the last screenshot) — Certificates and CRLs. This allows you to browse both — certificates and CRLs in the local certificate store. For CRLs added new basic actions.
  • Revisited certificate export and import actions. In addition to Quest AD cmdlet usage, the interface is provided in GUI form. So now you will be able to use standard dialogs to select a file to save/open.



As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP/Port usage, admin's automation tools, PowerShell and PowerGUI! © Flowering Weeds & Sysadmins LV

Document Rating
Rating:

Downloads
Click to download this attachment Enterprise_PKI.powerpack (1.3 MB)
Downloaded 2803 Times
Related Documents
No Related Documents


© 2010 Quest Software, Inc  |  Legal Agreement  |  Privacy Policy  |  Terms of Use  |  Report a Problem with This Site
Powered By Jive Software