search

PKISolutions / PSPKI

PowerShell PKI Module
Microsoft Public License
377 stars 57 forks source link

Extension table doesn't show subject alternative name value #214

Open TheBZKing opened 3 months ago

TheBZKing commented 3 months ago

I need to check the subject alternative DNS names before issuing a certificate but the Get-PendingRequest and Get-ADCSDatabaseRow both don't display the DNS names.

Connect-CertificationAuthority -ComputerName MyCA | Get-AdcsDatabaseRow -Table Extension -RowID 838 -Filter "ExtensionName -eq 2.5.29.17"

Crypt32 commented 1 month ago

This means that SAN extension doesn't exist in request. I've checked this scenario in my CA:

PS C:\> Connect-CA | Get-AdcsDatabaseRow -Table Extension -RowID 1001423 -Filter "ExtensionName -eq 2.5.29.17"

ExtensionRequestId : 1001423
ExtensionName      : 2.5.29.17
ExtensionFlags     : 131072
ExtensionRawValue  : MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t

ExtensionNameOid   : System.Security.Cryptography.Oid
RowId              : 1001423
RequestId          : 0
ConfigString       : redacted\redacted
Table              : Extension
Properties         : {[ExtensionRequestId, 1001423], [ExtensionName, 2.5.29.17], [ExtensionFlags, 131072], [ExtensionRa
                     wValue, MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t
                     ]...}

PS C:\>
TheBZKing commented 1 month ago

Hello,

Thank you for your time. Offcourse I've tested this with a PKI certificate with SAN extension and a filled in DNS name. Could you try this out on a certificate with SAN extention and show me the DNS name in the output? This does not work for me. =(

Crypt32 commented 1 month ago

You need to look into ExtensionRawValue which contains ASN.1-encoded SAN extension (in this particular case). You can decode it this way:

PS C:\> $extRawValue = "MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t"
PS C:\> $bin = [convert]::FromBase64String($extRawValue)
PS C:\> ipmo pspki
PS C:\> $extRawValue = "MCugKQYKKwYBBAGCNxQCA6AbDBlhZG1pbmlzdHJhdG9yQGNvbnRvc28uY29t"
PS C:\> $bin = [convert]::FromBase64String($extRawValue)
PS C:\> $asnEncoded = New-Object System.Security.Cryptography.AsnEncodedData (,$bin)
PS C:\> $san = New-Object SysadminsLV.PKI.Cryptography.X509Certificates.X509SubjectAlternativeNamesExtension $asnEncoded,$false
PS C:\> $san

AlternativeNames                                      Critical Oid                                  RawData
----------------                                      -------- ---                                  -------
{Other Name:Principal Name=administrator@contoso.com}    False Subject Alternative Name (2.5.29.17) {48, 43, 160, 41...

PS C:\> $san.AlternativeNames

             Type OID                                     Value                     RawData
             ---- ---                                     -----                     -------
UserPrincipalName Principal Name (1.3.6.1.4.1.311.20.2.3) administrator@contoso.com {160, 41, 6, 10...}

PS C:\>

$san.AlternativeNames contains a collection of all SAN entries in extension.