Andy Arismendi
Andy Arismendi 03.07.2011 12:51 (GMT+2) How to add FQDN to HP iLO request

After a bit more experimentation I was able to get it using this: $ip = [Convert]::ToBase64String(([System.Net.IPAddress] "10.0.1.2").GetAddressBytes()) (New-Object -ComObject X509Enrollment.CAlternativeName).InitializeFromRawData(8, 0x1, $ip) -Andy Arismendi

Andy Arismendi
Andy Arismendi 03.07.2011 12:40 (GMT+2) How to add FQDN to HP iLO request

I stumbled upon your article while researching how to create a alternative name that is an IP address using the CertEnroll API. From the MSDN documentation: http://msdn.microsoft.com/en-us/library/aa374981%28v=vs.85%29.aspx Here's what i've got: (New-Object -ComObject X509Enrollment.CAlternativeName).InitializeFromRawData(8, 0x1, $rawData) What i'm having trouble with is $rawData... I'm not sure how to convert "10.0.1.2" to "A BSTR variable that contains the DER-encoded data." as the documentation says... Can you help?

Vadims Podans
Vadims Podans 29.06.2011 23:20 (GMT+2) Root Certification Authority (CA) CDP and AIA extension question

> If a client has certificate, on smart card used for logon, signed by SubCa revoked certificate, and he tries to log on and has old (cached) CRL, does that mean it will be able to log on? Possible yes. If a cleint is Windows Vista and newer then it will attempt to check if CA server has issued new CRL prior to planned publication date. This really depends from several factors. For more information please sheck this article: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=361c4644-9b1b-41fd-aaf9-370717edcbbc

Kojo
Kojo 29.06.2011 22:32 (GMT+2) Root Certification Authority (CA) CDP and AIA extension question

I've added LDAP line on Offline ROOT CA and reissued CRL (this is my test env). After that I successfully published CRL using "certutil -dspublish -f crlname.crl", but SubCA certificate was still OK. After that I've runned "certutil -urlcache * delete " and it worked. Certificate appeared "Revoked by Issuer" Question: If a client has certificate, on smart card used for logon, signed by SubCa revoked certificate, and he tries to log on and has old (cached) CRL, does that mean it will be able to log on? I think it should be rejected by DC. I would replace revoked certificate in a GPO and import a new one. Am I right?

Kojo
Kojo 28.06.2011 21:52 (GMT+2) Root Certification Authority (CA) CDP and AIA extension question

I've added LDAP line on Offline ROOT CA and reissued CRL (this is my test env). After that I successfully published CRL using "certutil -dspublish -f crlname.crl", but SubCA certificate was still OK. After that I've runned "certutil -urlcache * delete " and it worked. Certificate appeared "Revoked by Issuer" Question: If a client has certificate, on smart card used for logon, signed by SubCa revoked certificate, and he tries to log on and has old (cached) CRL, does that mean it will be able to log on? I think it should be rejected by DC. I would replace revoked certificate in a GPO and import a new one. Am I right?