denetarik

Running certutil on a CRL dumps the CRL details, including the number of entries in the CRL: certutil <TargetCRL.crl> | findstr "Entries"

A certificate can be revoked for a number of reasons, and those are specified in the CRL as per RFC 5280 Section 5.3.1: CRLReason unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) Value 7 is not used, removeFromCRL is only applicable to delta CRLs and certificateHold is a reversible revocation (can be "unrevoked" at a later stage). Please note that certificateHold is not an acceptable revocation reason in publicly trusted server certificates, as per CA/B Forum Baseline Requirements. https://tools.ietf.org/html/rfc5280#section-5.3.1 https://en.wikipedia.org/wiki/Certificate_revocation_list#Reasons_for_revocation https://cabforum.org/baseline-requir...

Given the healthy trend towards decreasing certificate validity periods, it is very likely that the size of an AD CS Certification Authority database will grow following that same trend. Despite regular maintenance activities including deletion of records such as failed, denied etc. it could be that at some point the CA database reaches a problematic size. Deleting records from an AD CS CA database will internally free up the space previously occupied by those records but will not decrease the size of the database file itself. I.e. new records will reuse the freed up space but the total space used by the database file will not decrease. This helps keeping the database size under control but does not help if the size had already increased over acceptable limits; in this case the database must be compacted. The CA is often a critical resource, so it is recommended to keep various backups of different nature, to try to make sure we can recover it in case something goes wrong. Here a ...

Useful for AD CS Certification Authority queries with certutil -view : Disposition values for requests in the queue: Disposition    Description 8                     Request is being processed 9                     Request is taken under submission 12                   Certificate is an archived foreign certificate 15                   Certificate is a CA certificate 16                   Parent CA certificates of the CA certificate 17                   Certificate is a key rec...

Cisco Identity Service Engine (ISE) devices for network authentication seem to have a "feature" that generates PKCS#10 CSRs with the SHA1 hash of an empty string in the Subject Key Identifier (SKI) extension: da39a3ee5e6b4b0d3255bfef95601890afd80709 A Microsoft AD CS based Certification Authority, when presented with such a CSR, does not re-compute and overwrite the incorrect SKI extension included in the CSR but simply carries it over and adds it to the issued certificate: It seems this is an issue that Microsoft have suffered from themselves: https://crt.sh/?ski=da39a3ee5e6b4b0d3255bfef95601890afd80709 As per RFC 5280 the SKI value should be derived from the public key, but it is just an RFC 2119 SHOULD... https://tools.ietf.org/html/rfc5280#section-4.2.1.2 https://www.ietf.org/rfc/rfc2119.txt

The certutil -sign verb allows, according to the documentation, to re-sign a certificate, but I was wondering whether "re-sign" includes signing a certificate that has previously been signed by another Certification Authority. The use case I had in mind was accepting self-signed certificates as a form of certificate signing requests. There are a number of software products out there that, out of the box, provide the ability to generate a self-signed certificate to be used for testing or for the initial setup before a certificate signed by a CA is configured. So I wanted to test whether those self-signed certificates (assuming they are securely generated during installation and not simply included with the software) could be used as a request to a CA. The idea would then be to get a self-signed certificate and try to sign it with an AD CS Certification Authority using certutil -sign . For testing purposes I exported one of the trusted Root CAs in the system (a self-signed c...

In an AD CS Certification Authority database, the Subject Alternative Name (SAN) extension (OID 2.5.29.17) for a certificate is stored in a single row in the Extension table. The schema for the Extension table is: where 4096 is the maximum length of the raw extension value in bytes. That means that in a Microsoft AD CS Certification Authority, the maximum number of SAN entries that can be added to a certificate is not constrained by the number of entries itself but by the total size of the extension, that cannot exceed 4096 bytes. https://social.technet.microsoft.com/wiki/contents/articles/3306.pki-faq-what-is-the-maximum-number-of-names-that-can-be-included-in-the-san-extension.aspx Update : Microsoft has now provided a way of increasing that limit to 16.384 bytes, given the required updates have been applied: How to expand the maximum extension size limit at AD CS

Using certutil we can query the schema of the Certification Authority database: certutil -schema If the AD CS role is not installed locally but on a remote computer the -config flag is required: certutil -config <CAConfigString> -schema The commands above return the column names (useful for any certutil database query using the -view flag), the column friendly name, the data type and the maximum length in bytes, including an " Indexed " comment on those indexed columns (useful for query design). Querying the database schema is useful prior to preparing a CA database query, in order to understand the columns available in the database, their data types and whether they are indexed or not. The CA database has 4 different tables, and certutil -schema returns by default the schema of the Request and Certificate table, but adding a parameter to the command will display the schema of the other 3 tables available: Extension table - Ext certutil -schema Ext ...

Given a private key file and a certificate, both in PEM format, we can create a PKCS#12 file (.p12, .pfx) using OpenSSL: openssl pkcs12 -export -out <P12File.pfx> -inkey <keyfile.pem> -in <certfile.pem> https://tools.ietf.org/html/rfc7292   https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs12.html  

Sometimes it is useful to be able to simply re-sign a certificate, without following a complete certificate signing request process. It is better from a secuity point of view to rotate the keys often, but in certain scenarios the ability to modify the lifetime of certificate might come in handy. In those cases certutil can be used to modify the validity of a certificate at will, with its -sign verb. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil#-sign The most straightforward example is a certificate you want to be valid for a few days: certutil -sign <OriginalCertificateFile> <NewCertificateFile> now + 7:00 where <OriginalCertificateFile> is the file containing the certificate you want to re-sign <NewCertificateFile> is the file where the re-signed certificate will be stored now indicates the "Not Before" for the new certificate, setting it to current time 7:00 indicates the validity of the ...

When migrating the AD CS Certification Authority role from Windows 2008 to Windows 2016 directly the CA service fails to start. The issue is just related to the changes implemented in the meantime in the underlying JET database, which break compatibility. An intermediate step is required, restoring the CA role in a Windows 2012 system, i.e.: 1.- Windows 2008 - Take a backup of the CA 2.- Windows 2012 - Restore the CA from the backup taken in Windows 2008 3.- Windows 2012 - Take a backup of the CA 4.- Windows 2016 - Restore the CA from the backup taken in Windows 2012 https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx

To compare the content of 2 files using PowerShell, similar to the diff command in Linux Compare-Object -ReferenceObject (Get-Content $fileOne ) -DifferenceObject (Get-Content $fileTwo )

Check where are PowerShell modules located in the system: $Env:PSModulePath Returns paths to the locations of the modules locally installed. New modules can be copied to one of those locations in order to make them available. Check modules available: Get-Module -ListAvailable

It is useful to be able to remove absolute paths from scripts, letting them run wherever they are located and using only relative paths for any files required during the script execution. In order to achieve this the $PSScriptRoot automatic variable can be used; it only works within a script (its value is $null otherwise) and it contains the fully qualified filesystem path of the directory where the script is. Retrieve the value of the variable at the beginning and then use it to build full paths adding the relative path to it: $ScriptBaseDir = $PSScriptRoot $InputFile    = $ScriptBaseDir\input.csv $OutputFile = $ScriptBaseDir\output.csv

The command to display all certutil options that certutil -h does not disclose certutil -uSAGE

Now that telnet is not allowed... Test-NetConnection -Port <portNumber> -ComputerName <targetHost> https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection

PowerShell version: $PSVersionTable.PSVersion PowerShell edition (Core or Desktop): $PSVersionTable.PSEdition

Although the HTTP Strict Transport Security (HSTS) RFC ( RFC6797 ) allows for multiple HSTS headers to be present: " If a UA receives more than one STS header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field. " this could be problematic, leading to unexpected behaviour, and is therefore flagged as invalid by certain vulnerability scanners. This is often the result of a reverse proxy in front of an application setting the HSTS header in addition to the one already set by the application itself. In Apache HTTPD this could be the case when a directive such as this is used: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" If the reverse proxy is the one controllling the HSTS header the duplicity can be fixed removing the existing header before adding it: Header onsuccess unset Strict-Transport-Security Header always set Strict-Transport-Security "max-age=31...

Often temporary files are required as part of a PowerShell script, to store temporary results etc. The New-TemporaryFile command makes it easy, returning a System.IO.FileInfo object that represents a temporary file created in the TEMP directory of the user running the command.  $TemporaryFile = New-TemporaryFile https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-temporaryfile