PowerShell PKI Module (PSPKI) v3.7
Hello everyone, I’m excited to announce a public availability of PowerShell PKI module v3.7. New version is a big work around various aspects such as Microsoft Online Responder management, security descriptors. Here is a summary of what we’ve done.
Expand Your PKI Visibility
Discover why seeing is securing with revolutionary PKI monitoring and alerting.
Learn More About PKI Spotlight®PowerShell Module
Compatibility
We have added syntax compatibility with PowerShell 6.x and newer PowerShell versions.
New commands
With this version, we start remote Microsoft Online Responder (implementation of OCSP server) management support in PowerShell. We have added a set of new commands to manage Online Responder:
- Add-OnlineResponderAcl
- Add-OnlineResponderArrayMember
- Add-OnlineResponderLocalCrlEntry
- Add-OnlineResponderRevocationConfiguration
- Connect-OnlineResponder
- Get-OnlineResponderAcl
- Get-OnlineResponderRevocationConfiguration
- Remove-OnlineResponderAcl
- Remove-OnlineResponderArrayMember
- Remove-OnlineResponderLocalCrlEntry
- Remove-OnlineResponderRevocationConfiguration
- Set-OnlineResponderAcl
- Set-OnlineResponderProperty
- Set-OnlineResponderRevocationConfiguration
- Start-OnlineResponder
- Stop-OnlineResponder
- Restart-OnlineResponder
Renamed commands
To follow PowerShell command naming convention, the following commands were renamed:
Old name | New name |
---|---|
Get-CASecurityDescriptor | Get-CertificationAuthorityAcl |
Add-CAAccessControlEntry | Add-CertificationAuthorityAcl |
Remove-CAAccessControlEntry | Remove-CertificationAuthorityAcl |
Set-CASecurityDescriptor | Set-CertificationAuthorityAcl |
Get-CASchema | Get-CertificationAuthorityDbSchema |
You still can access these commands via old names (they are aliases), but they will be removed in next PSPKI version.
Changes in existing commands
We have re-styled and unified syntax for Access Control List (ACL) management commands. Since now, all ACL-related commands implement standard .NET security descriptor classes (CommonObjectSecurity). A full list of changes in existing cmdlets are shown in the table:
Command name | Changes |
---|---|
Add-CertificateTemplateAcl |
|
Get-CertificationAuthorityAcl | Changed type for return value |
Remove-CertificateTemplateAcl |
|
Remove-CertificateTemplateAcl |
|
Get-CertificationAuthority |
|
Bug fixes
The following GitHub items were fixed:
- Parameter set cannot be resolved using the specified named parameters.
- Enable-CRLFlag command is broken
- Provide signature object to Get-AuthenticodeSignature
- Cannot process argument transformation on parameter ‘Encoding’. ‘Byte’ is not a supported encoding name.
- Get-AuthenticodeSignature crashes PowerShell console when PSPKI is loaded
- Get-CertificateRequest does not allow for relative Paths
- Set-Content error when running New-SelfSignedCertificateEx on PowerShell 6.0
- Register-ObjectIdentifier fails when “-UseActiveDirectory” switch is $true
API Changes
New API
We have added lots of new APIs in the following namespaces
- SysadminsLV.PKI.Management.CertificateServices
- SysadminsLV.PKI.Dcom
- SysadminsLV.PKI.Dcom.Implementations
- SysadminsLV.PKI.Security.AccessControl
Removed API
We removed a set of legacy APIs that were marked Obsolete
:
- Method: PKI.CertificateServices.CertificateAuthority.GetSchema()
- Method: PKI.CertificateServices.CertificateAuthority.GetCA()
- Class: PKI.CertificateServices.DB.AdcsDbValue
- Class: PKI.CertificateServices.DB.DataTypeEnum
- Class: PKI.CertificateServices.DB.RequestRow
- Class: PKI.CertificateServices.DB.Schema
- Class: PKI.CertificateServices.DB.TableList
- Class: PKI.ServiceProviders.ALG_ID
- Class: PKI.ServiceProviders.ALG_IDCollection
- Class: PKI.ServiceProviders.ALG_ID_CNG
- Class: PKI.ServiceProviders.ALG_ID_CNGCollection
- Class: PKI.ServiceProviders.Csp
- Class: PKI.ServiceProviders.CspCNG
- Class: PKI.ServiceProviders.CspCNGCollection
- Class: PKI.ServiceProviders.CspCollection
- Class: PKI.ServiceProviders.CspLegacy
- Class: PKI.ServiceProviders.CspObject
- Class: PKI.ServiceProviders.ProviderAlgorithm
- Class: PKI.Security.AccessControlEntry2
- Class: PKI.Security.AccessControlEntry2
- Class: PKI.Security.SecurityDescriptor
- Class: PKI.Security.AccessControlEntry2
Obsolete API
We marked a set of API with Obsolete
attribute:
- Ctor:
PKI.CertificateServices.CertificateAuthority(String, String)
moved toPKI.CertificateServices.CertificateAuthority.Connect()
static method. - Prop:
PKI.CertificateServices.CertificateAuthority.BaseCRL moved to GetBaseCRL()
instance method - Prop:
PKI.CertificateServices.CertificateAuthority.DeltaCRL
moved toGetDeltaCRL()
instance method - Prop:
PKI.CertificateServices.CertificateAuthority.EnrollmentServiceURI
renamed toEnrollmentEndpoints
- Prop:
SysadminsLV.PKI.Management.ActiveDirectory.DsCertEnrollContainer.CertificationAuthorities
renamedEnrollmentServers
We will remove these APIs in next versions.
Download
As always:
- PowerShell Gallery: PSPKI
- Offline ZIP copy: PowerShell PKI Module