Posts on this page:

PowerShell PKI Module v3.2.6 is out!

Hello S-1-1-0!

After three months since PSPKI module v3.2.5 was released I received a number of unfortunate bugs (which weren’t tested very well from my side) and other issues. So I decided to address them while I have some spare time. In addition, I made an attempt to provide new functionality I really missed in the module.

This release is intended to make the module more stable and less buggy. In some aspects it become faster.

Bug Fixes

I have fixed a number of private bugs (found by myself) and publically reported bugs:

For detailed change logs and privately reported issues see:

Read more →

PowerShell 5.0 and Applocker. When security doesn’t mean security (part 2)

In the previous post, I tried to explain some inconsistences in the current implementation of Constrained PowerShell feature that is introduced in PowerShell 5.0: PowerShell 5.0 and Applocker. When security doesn’t mean security. After having a long email and twitter conversations I realized that many of readers blame me for being against Constrained PowerShell feature. It is not true. In this post, I would like to summarize what is going wrong now and how it should work in my opinion.

Read more →

PowerShell 5.0 and Applocker. When security doesn’t mean security

Problem description

A friend of mine asked why his PowerShell scripts (PowerShell profile) doesn’t execute properly in after upgrading to PowerShell 5.0. A brief investigation showed that interactive PowerShell console runs in Constrained Language mode, as the result many language features are stripped out and PowerShell profile isn’t loaded with the following error:

Windows PowerShell
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
C:\Users\vpodans\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 : Cannot dot-source this command because
it was defined in a different language mode. To invoke this command without importing its contents, omit the '.'
At line:1 char:1
+ . 'C:\Users\vpodans\Documents\WindowsPowerShell\Microsoft.PowerShell_ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Microsoft.PowerShell_profile.ps1], NotSupportedException
    + FullyQualifiedErrorId : DotSourceNotSupported,Microsoft.PowerShell_profile.ps1

PS C:\Users\vpodans> [math]::Sqrt(1)
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:1 char:1
+ [math]::Sqrt(1)
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage

PS C:\Users\vpodans> $ExecutionContext.SessionState.LanguageMode
PS C:\Users\vpodans>

Read more →

PowerShell PKI Module v3.2.5 is released!

I’m glad to announce another version of PowerShell PKI module release.

What’s new?

This release includes major internal code changes with new functionality.

  • Code reorganization

At first, I completely separated Abstract Syntax Notation (ASN.1) code from main library to a dedicated DLL: SysadminsLV.Asn1Parser.dll. As I mentioned in one of previous posts, PKI.Core.dll and ASN parser are opensourced on GitHub: and Asn1DerParser.NET.

Read more →

How to convert PEM to PFX in PowerShell (revisited)

Hello everyone!

Some time ago I wrote a script that converts PEM file to CryptoAPI compatible format: How to convert PEM file to a CryptoAPI compatible format. The script involves some non-PowerShell commands (certutil) which associates private key with a certificate instance. I received several feedback comments about avoiding certutil in favor of native PowerShell/.NET managed code. In this post I want to show some code that eliminates certutil from the script.

Just to recall what we generally do when converting PEM to X509Certificate2/PFX:

  • Read the certificate information from PEM file and instantiate a X509Certificate2 object;
  • Read PKCS#1 or PKCS#8 private key;
  • Convert PKCS#1/PKCS#9 private key to CryptoAPI PRIVATEKEYBLOB;
  • Associate PRIVATEKYEBLOB with an X509Certificate2 instance.

Read more →