Hasain Alshakarti

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Create a text file containing the following information:

[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”

Save the file as friendlyname.inf

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

  CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 4,325)

  CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 5,551)

How do I delete all Failed Requests logged on my Certificate Services database?

The Certutil tool can be used to list and delete Failed Requests logged on any ADCS database, but the two operations cannot be combined in one request and you have to manually transfer the request is from the listing of failed requests to the deleterow command.

The attached script combines the two steps and automate the whole process for an easier management task.

/Hasain

———————————–delete_failed_adcs_requests.vbs———————————–

Set objShell = CreateObject("WScript.Shell")

Set objWshScriptExec = objShell.Exec("certutil -silent -view -out ""RequestID"" LogFail")

Set objStdOut = objWshScriptExec.StdOut

Do Until objStdOut.AtEndOfStream
    strLine = objStdOut.ReadLine
    If Len(strLine) > 10 Then

 Set regEx = New RegExp
 regEx.Pattern = "( .*?\(|\))"
 regEx.IgnoreCase = True
 regEx.Global = True
 regEx.MultiLine = True
        WScript.Echo "Deleting: " & strLine
        Set objWshScriptExec = objShell.Exec("certutil -deleterow " & regEx.Replace(strLine, ""))

    End If
Loop

———————————–delete_failed_adcs_requests.vbs———————————–

I was recently involved in a penetration testing activity together with some of my team members at TrueSec and we simply ran into a little issue where we needed to convert some binary files to a more convenient format to be able to transfer to the target system we were working with. This is normally not a big issue but this system was a little bit more tightened than what we normally see at customer’s sites. We could for instance not use WSH to create a decoding script as the system required all scripts running to be signed and when we looked for the debug command it was not there anymore!

 So the challenge was to find a tool already built into the Windows platform that could perform any kind of decoding from text to binary. Since Windows 2000 there is built-in command-line program called certutil.exe for managing Certificate Services and certificate related tasks, this nice tool provides a way to encode and decode files using the Base64 schema. As this tool is one of many built-in tools in Windows, the system did not had any issues to let us use it for the purpose of decoding our Base64 encoded text stream we managed to transfer to the server and the saga could continue as planned, or should I say as we planned 🙂

/Hasain

To import keys using the Microsoft Base Smart Card Crypto Service Provider you need to performe the following steps:

1.  Modify the registry keysbelow:
   • HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateExchangeKeyImport=DWORD:0x1
   • HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider\AllowPrivateSignatureKeyImport=DWORD:0x1
2.  Use the certutil.exe tool to import the key stored in a pfx file:
   •  certutil –csp "Microsoft Base Smart Card Crypto Provider" –importpfx {PFXfile}

/Hasain