Open TheBZKing opened 3 months ago
This means that SAN extension doesn't exist in request. I've checked this scenario in my CA:
PS C:\> Connect-CA | Get-AdcsDatabaseRow -Table Extension -RowID 1001423 -Filter "ExtensionName -eq 2.5.29.17"
ExtensionRequestId : 1001423
ExtensionName : 2.5.29.17
ExtensionFlags : 131072
ExtensionRawValue : MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t
ExtensionNameOid : System.Security.Cryptography.Oid
RowId : 1001423
RequestId : 0
ConfigString : redacted\redacted
Table : Extension
Properties : {[ExtensionRequestId, 1001423], [ExtensionName, 2.5.29.17], [ExtensionFlags, 131072], [ExtensionRa
wValue, MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t
]...}
PS C:\>
Hello,
Thank you for your time. Offcourse I've tested this with a PKI certificate with SAN extension and a filled in DNS name. Could you try this out on a certificate with SAN extention and show me the DNS name in the output? This does not work for me. =(
You need to look into ExtensionRawValue
which contains ASN.1-encoded SAN extension (in this particular case). You can decode it this way:
PS C:\> $extRawValue = "MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t"
PS C:\> $bin = [convert]::FromBase64String($extRawValue)
PS C:\> ipmo pspki
PS C:\> $extRawValue = "MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t"
PS C:\> $bin = [convert]::FromBase64String($extRawValue)
PS C:\> $asnEncoded = New-Object System.Security.Cryptography.AsnEncodedData (,$bin)
PS C:\> $san = New-Object SysadminsLV.PKI.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $asnEncoded,$false
PS C:\> $san
AlternativeNames Critical Oid RawData
---------------- -------- --- -------
{Other Name:Principal Name=administrator@contoso.com} False Subject Alternative Name (2.5.29.17) {48, 43, 160, 41...
PS C:\> $san.AlternativeNames
Type OID Value RawData
---- --- ----- -------
UserPrincipalName Principal Name (1.3.6.1.4.1.311.20.2.3) administrator@contoso.com {160, 41, 6, 10...}
PS C:\>
$san.AlternativeNames
contains a collection of all SAN entries in extension.
I need to check the subject alternative DNS names before issuing a certificate but the Get-PendingRequest and Get-ADCSDatabaseRow both don't display the DNS names.
Connect-CertificationAuthority -ComputerName MyCA | Get-AdcsDatabaseRow -Table Extension -RowID 838 -Filter "ExtensionName -eq 2.5.29.17"