19 January 2017

Install the Microsoft Exchange 2013 Management Tools prerequisites on Windows 10 with PowerShell

Install the Microsoft Exchange 2013 Management Tools prerequisites on Windows 10:

IIS:
Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole
Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerManagementTools
Enable-WindowsOptionalFeature -Online -FeatureName IIS-IIS6ManagementCompatibility
Enable-WindowsOptionalFeature -Online -FeatureName IIS-Metabase
Enable-WindowsOptionalFeature -Online -FeatureName IIS-LegacySnapIn
.NET 3.5:
Write-Host "Installing .Net Framework 3.5, do not close this prompt..."
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:$LocalSource | Out-Null
$Result = Dism /online /Get-featureinfo /featurename:NetFx3
If($Result -contains "State : Enabled")
{
Write-Host "Install .Net Framework 3.5 successfully."
}
Else
{
Write-Host "Failed to install Install .Net Framework 3.5,please make sure the local source is correct." 
}
In case the above doesn't work, you can try:
DISM /Online /Enable-Feature /FeatureName:NetFx3

10 January 2017

Cleaning up the CA database after renewing your Issuing-CA certificate

After renewing your Issuing-CA certificate it's important to clean up your CA internal database.
It can grow quite large, depending on the number of issued certificates of course, but still to keep it as clean and clear as possible works a lot quicker and reduces the chance of errors.

So to clean the CA database we use Certutil.

Clean up the Failed and Pending requests from before 31 January 2016:
Certutil -Deleterow 31/12/2022 Request
Or for an English timezone:
Certutil -Deleterow 12/31/2022 Request

Mind the date notation, this might be different on your system, since i'm in the Netherlands the notation is dd/mm/yyyy, for US it's mm/dd/yyyy.

Clean up the Expired and revoked certificates from before 31 January 2016
Certutil -Deleterow 31/12/2016 Cert

This may take some time as it goes thru all certificates and adds them to the CRL.
Certutil.exe will only delete about 2,000 - 3,000 records at a time before failing due to exhaustion of the version store. This can be solved, wrap this command in a simple batch file (as shown below) that runs the command over and over until all the designated records have been removed.

Batch file:

@echo off

:Top

Certutil -deleterow 31/12/2023 Request

if %ERRORLEVEL% EQU -939523027 goto Top


Or for the Certificates:
@echo off

:Top

Certutil -deleterow 31/12/2023 Cert

if %ERRORLEVEL% EQU -939523027 goto Top



05 January 2017

AIA and CDP Variable Definitions - What does the % sign stand for

AIA and CDP Variable Definitions

Name
Variable
Description
%1

ServerDNSName
The CA computer’s Domain Name System (DNS) name

%2

ServerShortName
The CA computer’s NetBIOS name
%3
CA Name
The CA’s logical name

%4
CertificateName
The name of the CA’s certificate file

%5
Domain DN
Not used in the Windows Server 2003 PKI

%6
ConfigDN
The Lightweight Directory Access Protocol (LDAP) path of the forest’s configuration naming context for the forest


%7
CATruncatedName
The CA’s “sanitized” name

%8
CRLNameSuffix
The CRL’s renewal extension

%9
DeltaCRLAllowed
Indicates whether delta CRLs are supported by the CA

%10
CDPObjectClass
Indicates that the object is a CDP object in AD DS

%11
CAObjectClass
Indicates that the object is a CA certificate object in AD DS