├── .github
└── workflows
│ ├── main.yml
│ ├── release.yml
│ └── xunit.yml
├── .gitignore
├── CHANGELOG.md
├── CONTRIBUTING.md
├── LICENSE
├── NOTICE
├── README.md
├── Support.GenerateETWManifest
├── Program.cs
└── Support.GenerateETWManifest.csproj
├── TameMyCerts.IntegrationTests
├── Export-CertificateTemplates.ps1
├── Functions
│ ├── Enable-Templatesynchronization.ps1
│ ├── Get-OnlineCertificate.ps1
│ ├── Grant-CertificateTemplatePermission.ps1
│ ├── Import-CertificateTemplate.ps1
│ ├── Invoke-AutoEnrollmentTask.ps1
│ └── Test-AdcsAvailability.ps1
├── README.md
├── Tests
│ ├── Computer_Online_CDP-AIA-OCSP.Tests.ps1
│ ├── Computer_Online_CDP-AIA-OCSP.ldf
│ ├── Computer_Online_CDP-AIA-OCSP.xml
│ ├── Computer_Online_CSP_allowed.Tests.ps1
│ ├── Computer_Online_CSP_allowed.ldf
│ ├── Computer_Online_CSP_allowed.xml
│ ├── Computer_Online_CSP_forbidden.Tests.ps1
│ ├── Computer_Online_CSP_forbidden.ldf
│ ├── Computer_Online_CSP_forbidden.xml
│ ├── Computer_Online_DSA.Tests.ps1
│ ├── Computer_Online_DSA.inf
│ ├── Computer_Online_DSA.ldf
│ ├── Computer_Online_DSA.xml
│ ├── Computer_Online_ECDH.Tests.ps1
│ ├── Computer_Online_ECDH.ldf
│ ├── Computer_Online_ECDH.xml
│ ├── Computer_Online_ECDSA.Tests.ps1
│ ├── Computer_Online_ECDSA.ldf
│ ├── Computer_Online_ECDSA.xml
│ ├── Computer_Online_NotAfter.Tests.ps1
│ ├── Computer_Online_NotAfter.ldf
│ ├── Computer_Online_NotAfter.xml
│ ├── Computer_Online_RSA.Tests.ps1
│ ├── Computer_Online_RSA.ldf
│ ├── Computer_Online_RSA.xml
│ ├── Computer_Online_SubjectDN.Tests.ps1
│ ├── Computer_Online_SubjectDN.ldf
│ ├── Computer_Online_SubjectDN.xml
│ ├── Computer_Online_SupplementServicePrincipalNames.Tests.ps1
│ ├── Computer_Online_SupplementServicePrincipalNames.ldf
│ ├── Computer_Online_SupplementServicePrincipalNames.xml
│ ├── Computer_Online_process_allowed.Tests.ps1
│ ├── Computer_Online_process_allowed.inf
│ ├── Computer_Online_process_allowed.ldf
│ ├── Computer_Online_process_allowed.xml
│ ├── Computer_Online_process_forbidden.Tests.ps1
│ ├── Computer_Online_process_forbidden.inf
│ ├── Computer_Online_process_forbidden.ldf
│ ├── Computer_Online_process_forbidden.xml
│ ├── GenericWebServer.Tests.ps1
│ ├── GenericWebServer.ldf
│ ├── GenericWebServer.xml
│ ├── GenericWebServer_AllRdnTypes.Tests.ps1
│ ├── GenericWebServer_AllRdnTypes.ldf
│ ├── GenericWebServer_AllRdnTypes.xml
│ ├── GenericWebServer_CSP_allowed.Tests.ps1
│ ├── GenericWebServer_CSP_allowed.ldf
│ ├── GenericWebServer_CSP_allowed.xml
│ ├── GenericWebServer_CSP_forbidden.Tests.ps1
│ ├── GenericWebServer_CSP_forbidden.ldf
│ ├── GenericWebServer_CSP_forbidden.xml
│ ├── GenericWebServer_NotAfter.Tests.ps1
│ ├── GenericWebServer_NotAfter.ldf
│ ├── GenericWebServer_NotAfter.xml
│ ├── GenericWebServer_NotAfter_Audit.Tests.ps1
│ ├── GenericWebServer_NotAfter_Audit.ldf
│ ├── GenericWebServer_NotAfter_Audit.xml
│ ├── GenericWebServer_NotAfter_passed.Tests.ps1
│ ├── GenericWebServer_NotAfter_passed.ldf
│ ├── GenericWebServer_NotAfter_passed.xml
│ ├── GenericWebServer_StaticSubject.Tests.ps1
│ ├── GenericWebServer_StaticSubject.ldf
│ ├── GenericWebServer_StaticSubject.xml
│ ├── GenericWebServer_StaticSubjectAlternativeName.Tests.ps1
│ ├── GenericWebServer_StaticSubjectAlternativeName.ldf
│ ├── GenericWebServer_StaticSubjectAlternativeName.xml
│ ├── GenericWebServer_StaticSubjectAlternativeName_Forced.Tests.ps1
│ ├── GenericWebServer_StaticSubjectAlternativeName_Forced.ldf
│ ├── GenericWebServer_StaticSubjectAlternativeName_Forced.xml
│ ├── GenericWebServer_StaticSubject_Forced.Tests.ps1
│ ├── GenericWebServer_StaticSubject_Forced.ldf
│ ├── GenericWebServer_StaticSubject_Forced.xml
│ ├── GenericWebServer_SubjectFromRequest.Tests.ps1
│ ├── GenericWebServer_SubjectFromRequest.ldf
│ ├── GenericWebServer_SubjectFromRequest.xml
│ ├── GenericWebServer_SubjectFromRequest_AllRdnTypes.Tests.ps1
│ ├── GenericWebServer_SubjectFromRequest_AllRdnTypes.ldf
│ ├── GenericWebServer_SubjectFromRequest_AllRdnTypes.xml
│ ├── GenericWebServer_SubjectOnly.Tests.ps1
│ ├── GenericWebServer_SubjectOnly.inf
│ ├── GenericWebServer_SubjectOnly.ldf
│ ├── GenericWebServer_SubjectOnly.xml
│ ├── GenericWebServer_brokenPolicy.Tests.ps1
│ ├── GenericWebServer_brokenPolicy.ldf
│ ├── GenericWebServer_brokenPolicy.xml
│ ├── GenericWebServer_emptyPolicy.Tests.ps1
│ ├── GenericWebServer_emptyPolicy.ldf
│ ├── GenericWebServer_emptyPolicy.xml
│ ├── GenericWebServer_emptyPolicy_Audit.Tests.ps1
│ ├── GenericWebServer_emptyPolicy_Audit.ldf
│ ├── GenericWebServer_emptyPolicy_Audit.xml
│ ├── GenericWebServer_noPolicy.Tests.ps1
│ ├── GenericWebServer_noPolicy.ldf
│ ├── GenericWebServer_noPolicy_pending.Tests.ps1
│ ├── GenericWebServer_noPolicy_pending.ldf
│ ├── GenericWebServer_pending.Tests.ps1
│ ├── GenericWebServer_pending.ldf
│ ├── GenericWebServer_process_allowed.Tests.ps1
│ ├── GenericWebServer_process_allowed.inf
│ ├── GenericWebServer_process_allowed.ldf
│ ├── GenericWebServer_process_allowed.xml
│ ├── GenericWebServer_process_forbidden.Tests.ps1
│ ├── GenericWebServer_process_forbidden.inf
│ ├── GenericWebServer_process_forbidden.ldf
│ ├── GenericWebServer_process_forbidden.xml
│ ├── SpecialChars.Tests.ps1
│ ├── SpecialChars.ldf
│ ├── TameMyCerts.Tests.ps1
│ ├── TestLabEnrollmentAgent.ldf
│ ├── User_Offline_DenyIfExisting.Tests.ps1
│ ├── User_Offline_DenyIfExisting.ldf
│ ├── User_Offline_DenyIfExisting.xml
│ ├── User_Offline_DsMapping.Tests.ps1
│ ├── User_Offline_DsMapping.ldf
│ ├── User_Offline_DsMapping.xml
│ ├── User_Offline_DsMapping_GroupMemberships.Tests.ps1
│ ├── User_Offline_DsMapping_GroupMemberships.ldf
│ ├── User_Offline_DsMapping_GroupMemberships.xml
│ ├── User_Offline_DsMapping_SearchRoot.Tests.ps1
│ ├── User_Offline_DsMapping_SearchRoot.ldf
│ ├── User_Offline_DsMapping_SearchRoot.xml
│ ├── User_Offline_Pattern.Tests.ps1
│ ├── User_Offline_Pattern.ldf
│ ├── User_Offline_Pattern.xml
│ ├── User_Offline_Sid_Add.Tests.ps1
│ ├── User_Offline_Sid_Add.ldf
│ ├── User_Offline_Sid_Add.xml
│ ├── User_Offline_Sid_AddUri.Tests.ps1
│ ├── User_Offline_Sid_AddUri.ldf
│ ├── User_Offline_Sid_AddUri.xml
│ ├── User_Offline_Sid_Allow.Tests.ps1
│ ├── User_Offline_Sid_Allow.ldf
│ ├── User_Offline_Sid_Allow.xml
│ ├── User_Offline_Sid_Deny.Tests.ps1
│ ├── User_Offline_Sid_Deny.ldf
│ ├── User_Offline_Sid_Deny.xml
│ ├── User_Offline_Sid_Remove.Tests.ps1
│ ├── User_Offline_Sid_Remove.ldf
│ ├── User_Offline_Sid_Remove.xml
│ ├── User_Offline_SubjectAltName_Mandatory.Tests.ps1
│ ├── User_Offline_SubjectAltName_Mandatory.ldf
│ ├── User_Offline_SubjectAltName_Mandatory.xml
│ ├── User_Offline_SubjectDN.Tests.ps1
│ ├── User_Offline_SubjectDN.ldf
│ ├── User_Offline_SubjectDN.xml
│ ├── User_Offline_SubjectDN_Mandatory.Tests.ps1
│ ├── User_Offline_SubjectDN_Mandatory.ldf
│ ├── User_Offline_SubjectDN_Mandatory.xml
│ ├── User_Offline_SubjectDN_same.Tests.ps1
│ ├── User_Offline_SubjectDN_same.ldf
│ ├── User_Offline_SubjectDN_same.xml
│ ├── User_Offline_noPolicy.Tests.ps1
│ ├── User_Offline_noPolicy.ldf
│ ├── User_Online.ldf
│ ├── User_Online_YubiKey.Tests.ps1
│ ├── User_Online_YubiKey.ldf
│ ├── User_Online_YubiKey.xml
│ └── lib
│ │ └── Init.ps1
└── TmcTestingLab.ps1
├── TameMyCerts.SBOM.md
├── TameMyCerts.Tests.SBOM.md
├── TameMyCerts.Tests
├── CertificateContentValidatorTests.cs
├── CertificateRequestValidatorTests.cs
├── DirectoryServiceValidatorTests.cs
├── ETWLoggerListener.cs
├── ETWTests.cs
├── FinalResultValidatorTests.cs
├── IPAddressExtensionsTests.cs
├── PatternTests.cs
├── Properties
│ └── AssemblyInfo.cs
├── RequestAttributeValidatorTests.cs
├── Resources
│ └── YubiKeyValidator
│ │ ├── 5_2_7.pem
│ │ ├── 5_7_2.pem
│ │ ├── Yubico_Attestation_Intermediate_B_1.cer
│ │ ├── Yubico_Attestation_Root_1.cer
│ │ ├── Yubico_PIV_Attestation_B_1.cer
│ │ ├── Yubico_PIV_Root_CA_Serial_263751.cer
│ │ ├── attestation_1.pem
│ │ ├── attestation_11.pem
│ │ └── csr_5_7_4_standard.pem
├── TameMyCerts.Tests.csproj
├── X509CertificateExtensionAuthorityInformationAccessTests.cs
├── X509CertificateExtensionCrlDistributionPointTests.cs
├── X509CertificateExtensionSecurityIdentifierTests.cs
├── X509CertificateExtensionSubjectAlternativeNameTests.cs
├── XMLPolicyTests.cs
└── YubikeyValidatorTests.cs
├── TameMyCerts.sln
├── TameMyCerts
├── AutoVersionIncrement.cs
├── AutoVersionIncrement.tt
├── CERTCLILIB.dll
├── CERTCLILIB.il
├── CERTCLILIB.res
├── CERTPOLICYLIB.dll
├── CERTPOLICYLIB.il
├── CERTPOLICYLIB.res
├── ClassExtensions
│ ├── ByteArrayExtensions.cs
│ ├── CCertServerPolicyExtensions.cs
│ ├── CX509CertificateRequestPkcs10Extensions.cs
│ ├── IPAddressExtensions.cs
│ └── StringExtensions.cs
├── ETWLogger.cs
├── Enums
│ ├── CaType.cs
│ ├── CertCli.cs
│ ├── CertSrv.cs
│ ├── EditFlag.cs
│ ├── GeneralFlag.cs
│ ├── KeyAlgorithmFamily.cs
│ ├── KeyAlgorithmType.cs
│ ├── OleAut32.cs
│ ├── PatternType.cs
│ ├── PolicyAction.cs
│ ├── SubjectNameFlag.cs
│ ├── TmcFlag.cs
│ ├── UserAccountControl.cs
│ ├── WinCrypt.cs
│ ├── WinError.cs
│ ├── YubikeyEdition.cs
│ ├── YubikeyFormFactor.cs
│ ├── YubikeyPinPolicy.cs
│ ├── YubikeyTouchPolicy.cs
│ └── YubikeyX509Extension.cs
├── LocalizedStrings.Designer.cs
├── LocalizedStrings.resx
├── Logger.cs
├── Models
│ ├── ActiveDirectoryObject.cs
│ ├── CertificateAuthorityConfiguration.cs
│ ├── CertificateDatabaseRow.cs
│ ├── CertificateRequestPolicy.cs
│ ├── CertificateRequestPolicyCache.cs
│ ├── CertificateRequestPolicyCacheEntry.cs
│ ├── CertificateRequestValidationResult.cs
│ ├── CertificateTemplate.cs
│ ├── CertificateTemplateCache.cs
│ ├── CustomCertificateExtension.cs
│ ├── DirectoryObjectRule.cs
│ ├── DirectoryServicesMapping.cs
│ ├── Event.cs
│ ├── Events.cs
│ ├── OutboundSubjectRule.cs
│ ├── Pattern.cs
│ ├── RdnTypes.cs
│ ├── SanTypes.cs
│ ├── SubjectRule.cs
│ ├── YubikeyObject.cs
│ └── YubikeyPolicy.cs
├── Policy.cs
├── PolicyManage.cs
├── Properties
│ └── AssemblyInfo.cs
├── TameMyCerts.csproj
├── Validators
│ ├── CertificateContentValidator.cs
│ ├── CertificateRequestValidator.cs
│ ├── DirectoryServiceValidator.cs
│ ├── FinalResultValidator.cs
│ ├── RequestAttributeValidator.cs
│ └── YubikeyValidator.cs
├── X509
│ ├── X509CertificateExtension.cs
│ ├── X509CertificateExtensionAuthorityInformationAccess.cs
│ ├── X509CertificateExtensionCrlDistributionPoint.cs
│ ├── X509CertificateExtensionSecurityIdentifier.cs
│ └── X509CertificateExtensionSubjectAlternativeName.cs
├── install.ps1
├── make_debug.cmd
└── make_il.cmd
├── examples
├── Sample_Offline_Computer_SidExtension.xml
├── Sample_Offline_Computer_SidUri.xml
├── Sample_Offline_User.xml
├── Sample_Offline_User_DsBoundSubject.xml
├── Sample_Offline_User_NotAfter.xml
├── Sample_Offline_User_SidExtension.xml
├── Sample_Offline_User_SidUri.xml
├── Sample_Offline_User_StaticSubject.xml
├── Sample_Offline_Webserver.xml
├── Sample_Offline_Webserver_SupplementDnsNames.xml
├── Sample_Online_Computer_DsBoundSan.xml
├── Sample_Online_Computer_StaticSan.xml
├── Sample_Online_Computer_SupplementSpns.xml
├── Sample_Online_User_CDP-AIA-OCSP.xml
├── Sample_Online_User_NotAfter.xml
├── Sample_Online_User_StaticSubject.xml
├── Sample_Online_User_TPM.xml
├── Sample_Online_Yubikey_Verification_and_Rewrite.xml
└── Sample_empty.xml
└── user-guide
├── abbreviations.md
├── audit-only-mode.md
├── cdp-aia-ocsp.md
├── configuring.md
├── csp-rules.md
├── custom-extensions.md
├── deny-insecure-flags.md
├── ds-attribute.md
├── ds-mapping.md
├── ds-object-rules.md
├── empty-identities.md
├── enddate.md
├── event-id-1.md
├── event-id-10.md
├── event-id-11.md
├── event-id-12.md
├── event-id-13.md
├── event-id-14.md
├── event-id-2.md
├── event-id-4.md
├── event-id-5.md
├── event-id-6.md
├── event-id-7.md
├── event-id-8.md
├── event-id-9.md
├── global-settings.md
├── header-appendix.md
├── header-use-cases.md
├── how-it-works.md
├── installing.md
├── key-rules.md
├── logs.md
├── modify-san.md
├── modify-subject-dn.md
├── pattern.md
├── prerequisites.md
├── process-rules.md
├── resources
├── Swiss-Cheese-Model.png
├── active-module.png
├── approval-flow.png
├── audit-only-mode.png
├── certapi.png
├── csp-rules1.png
├── csp-rules2.png
├── deny-disabled-account.png
├── deny-fields-missing.png
├── deny-forbidden-group.png
├── deny-nonexisting-user.png
├── deny-not-member.png
├── deny-sid-extension.png
├── deny-syntax-blacklist.png
├── deny-syntax-violation.png
├── deny-wrong-ou.png
├── digital-signature.png
├── event-viewer.png
├── expiration-passed.png
├── install.png
├── key-rules.png
├── offline-template.png
├── online-template.png
├── policydirectory.png
├── prevent-esc6.png
├── process-rules1.png
├── process-rules2.png
├── process-rules3.png
├── sample-event.png
├── subject-from-ad.png
├── supplement-dnsnames.png
├── supplement-spns.png
├── template-name-ps.png
├── template-name.png
├── undefined-rdn.png
├── uninstall.png
├── ykca-store.png
└── ykroot-store.png
├── san-rules.md
├── sid-extension.md
├── startdate.md
├── subject-rules.md
├── supplement-dns-names.md
├── supplement-spns.md
├── tech-reference.md
├── troubleshooting.md
├── uc-dsmapping.md
├── uc-esc1.md
├── uc-esc6.md
├── uc-subjectdn.md
├── uc-supplement-dns.md
├── uninstalling.md
├── upgrade-instructions.md
├── upgrading.md
├── why.md
└── yubikey-piv-attestation.md
/.github/workflows/main.yml:
--------------------------------------------------------------------------------
1 | name: Build
2 |
3 | on:
4 | push:
5 | branches: [ "main" ]
6 | pull_request:
7 | branches: [ "main" ]
8 |
9 | jobs:
10 | build:
11 | name: Build
12 | runs-on: windows-latest
13 |
14 | steps:
15 |
16 | - uses: actions/checkout@v4
17 |
18 | - name: Setup dotnet
19 | uses: actions/setup-dotnet@v3
20 | with:
21 | dotnet-version: '8.0.x'
22 |
23 | - name: Install dependencies
24 | run: dotnet restore
25 |
26 | - name: Setup MSBuild Path
27 | uses: microsoft/setup-msbuild@v1.3
28 | env:
29 | ACTIONS_ALLOW_UNSECURE_COMMANDS: true
30 |
31 | - name: Build Debug
32 | run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=debug /restore /t:Rebuild
33 |
34 | - name: Build ETW Manifest
35 | run: msbuild Support.GenerateETWManifest\Support.GenerateETWManifest.csproj -property:Configuration=debug /restore /t:Rebuild
36 |
37 | - name: Save Build TameMyCerts
38 | uses: actions/upload-artifact@v4
39 | with:
40 | name: build-TameMyCerts
41 | path: TameMyCerts\bin\debug\net8.0-windows\
42 |
--------------------------------------------------------------------------------
/.github/workflows/xunit.yml:
--------------------------------------------------------------------------------
1 | name: XUnit tests
2 |
3 | on:
4 | push:
5 | branches: [ "main" ]
6 | pull_request:
7 | branches: [ "main" ]
8 |
9 | jobs:
10 | build:
11 | name: XUnit tests
12 | runs-on: windows-latest
13 |
14 | steps:
15 |
16 | - uses: actions/checkout@v4
17 |
18 | - name: Setup dotnet
19 | uses: actions/setup-dotnet@v3
20 | with:
21 | dotnet-version: '8.0.x'
22 |
23 | - name: Install dependencies
24 | run: dotnet restore
25 |
26 | - name: Setup MSBuild Path
27 | uses: microsoft/setup-msbuild@v1.3
28 | env:
29 | ACTIONS_ALLOW_UNSECURE_COMMANDS: true
30 |
31 | - name: Build Debug
32 | run: msbuild TameMyCerts\TameMyCerts.csproj -property:Configuration=debug /restore /t:Rebuild
33 |
34 | - name: Build TameMyCerts.Tests
35 | run: msbuild TameMyCerts.Tests\TameMyCerts.Tests.csproj -property:Configuration=debug /restore /t:Rebuild
36 |
37 | - name: Run xunit tests
38 | run: dotnet test --no-build --verbosity minimal
--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | Copyright 2021-2023 Uwe Gradenegger
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Functions/Enable-Templatesynchronization.ps1:
--------------------------------------------------------------------------------
1 | function Enable-TemplateSynchronization {
2 |
3 | [cmdletbinding()]
4 | param(
5 | [ValidateSet("User","Computer")]
6 | [String]
7 | $Scope = "User"
8 | )
9 |
10 | if ($Scope -eq "User") {
11 | $RegKey = "HKCU:\Software\Policies\Microsoft\Cryptography\AutoEnrollment"
12 | }
13 | else {
14 | $RegKey = "HKLM:\Software\Policies\Microsoft\Cryptography\AutoEnrollment"
15 | }
16 |
17 | $AEPolicy = (Get-ItemProperty -Path $RegKey -Name AEPolicy -ErrorAction SilentlyContinue).AEPolicy
18 |
19 | if ($null -ne $AEPolicy) {
20 | $AEPolicy = $AEPolicy -bor 0x1
21 | }
22 | else {
23 | $AEPolicy = 0x1
24 | }
25 |
26 | New-Item -Path $RegKey -Force | Out-Null
27 | Set-ItemProperty -Path $RegKey -Name AEPolicy -Value $AEPolicy -Force
28 |
29 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Functions/Invoke-AutoEnrollmentTask.ps1:
--------------------------------------------------------------------------------
1 | function Invoke-AutoEnrollmentTask {
2 |
3 | [cmdletbinding()]
4 | param(
5 | [Parameter(Mandatory=$false)]
6 | [ValidateSet("UserTask", "SystemTask")]
7 | [string]
8 | $Task = "UserTask",
9 |
10 | [Parameter(Mandatory=$false)]
11 | [switch]
12 | $Wait
13 | )
14 |
15 | New-Variable -Option Constant -Name TaskRunFlags -Value @{
16 | TASK_RUN_NO_FLAGS = 0
17 | TASK_RUN_AS_SELF = 1
18 | TASK_RUN_IGNORE_CONSTRAINTS = 2
19 | TASK_RUN_USE_SESSION_ID = 3
20 | TASK_RUN_USER_SID = 4
21 | }
22 |
23 | if ($Task -eq "UserTask") {
24 | $Flags = $TaskRunFlags.TASK_RUN_AS_SELF
25 | }
26 | else {
27 | $Flags = $TaskRunFlags.TASK_RUN_NO_FLAGS
28 | }
29 |
30 | $TaskScheduler = New-Object -ComObject "Schedule.Service"
31 | $TaskScheduler.Connect()
32 | $UserTask = $TaskScheduler.GetFolder("Microsoft\Windows\CertificateServicesClient").GetTask($Task)
33 | $UserTask.RunEx($null, $Flags, 0, $null) | Out-Null
34 |
35 | [System.Runtime.Interopservices.Marshal]::ReleaseComObject($TaskScheduler) | Out-Null
36 |
37 | if ($Wait.IsPresent) {
38 | do {
39 | Start-Sleep -Seconds 1
40 | } while ((Get-ScheduledTask -TaskPath \Microsoft\Windows\CertificateServicesClient\ -TaskName $Task).PSBase.CimInstanceProperties['State'].Value -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Running)
41 | }
42 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Functions/Test-AdcsAvailability.ps1:
--------------------------------------------------------------------------------
1 | function Test-AdcsAvailability {
2 |
3 | [cmdletbinding()]
4 | param(
5 | [Parameter(Mandatory=$true)]
6 | [ValidateNotNullOrEmpty()]
7 | [string]
8 | $ConfigString
9 | )
10 |
11 | $CertRequest = New-Object -ComObject CertificateAuthority.Request
12 |
13 | try {
14 | [void]($CertRequest.GetCAProperty($ConfigString, 0x6, 0x0, 0x4, 0x0))
15 | return $true
16 | }
17 | catch {
18 | return $false
19 | }
20 | finally {
21 | [System.Runtime.Interopservices.Marshal]::ReleaseComObject($CertRequest) | Out-Null
22 | }
23 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_CDP-AIA-OCSP.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "Computer_Online_CDP-AIA-OCSP"
6 | }
7 |
8 | Describe 'Computer_Online_CDP-AIA-OCSP.Tests' {
9 |
10 | It 'Given custom CDP, AIA or OCSP extensions are configured, they are written into the issued certificate' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=" -KeyAlgorithm ECDSA_P256
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate -MachineContext
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $([Convert]::ToBase64String(($Result.Certificate.Extensions | Where-Object { $_.Oid.Value.Equals($Oid.XCN_OID_CRL_DIST_POINTS) }).RawData)) |
18 | Should -Be "MDgwNqA0oDKGMGh0dHA6Ly9jcmwudGFtZW15Y2VydHMtY3VzdG9tLmNvbS9MYWJSb290Q0ExLmNybA=="
19 | $([Convert]::ToBase64String(($Result.Certificate.Extensions | Where-Object { $_.Oid.Value.Equals($Oid.XCN_OID_AUTHORITY_INFO_ACCESS) }).RawData)) |
20 | Should -Be "MGswOAYIKwYBBQUHMAKGLGh0dHA6Ly90YW1lbXljZXJ0cy1jdXN0b20uY29tL0xhYlJvb3RDQTEuY3J0MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC50YW1lbXljZXJ0cy1jdXN0b20uY29tLw=="
21 | }
22 |
23 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_CDP-AIA-OCSP.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_CDP-AIA-OCSP,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_CDP-AIA-OCSP
6 | distinguishedName: CN=Computer_Online_CDP-AIA-OCSP,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_CDP-AIA-OCSP
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_CDP-AIA-OCSP
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: wA==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 6
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`ECDSA_P256`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_CDP-AIA-OCSP.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | http://crl.tamemycerts-custom.com/%3%8%9.crl
4 |
5 |
6 | http://tamemycerts-custom.com/%3%4.crt
7 |
8 |
9 | http://ocsp.tamemycerts-custom.com
10 |
11 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_CSP_allowed.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "Computer_Online_CSP_allowed"
6 | }
7 |
8 | Describe 'Computer_Online_CSP_allowed.Tests' {
9 |
10 | It 'Given a request is compliant, a certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -KeyLength 2048 -Subject "CN=" -Ksp "Microsoft Software Key Storage Provider"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate -MachineContext
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=$([System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName)"
18 | }
19 |
20 | It 'Given a request is not compliant, no certificate is issued' {
21 |
22 | $Csr = New-CertificateRequest -KeyLength 2048 -Subject "CN=" -Ksp "Microsoft Enhanced RSA and AES Cryptographic Provider"
23 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate -MachineContext
24 |
25 | $Result.Disposition | Should -Be $CertCli.CR_DISP_DENIED
26 | $Result.StatusCodeInt | Should -Be $WinError.CERTSRV_E_TEMPLATE_DENIED
27 | }
28 |
29 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_CSP_allowed.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_CSP_allowed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_CSP_allowed
6 | distinguishedName: CN=Computer_Online_CSP_allowed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_CSP_allowed
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_CSP_allowed
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: 4A==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 2048
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 5
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_CSP_allowed.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 | Microsoft Software Key Storage Provider
5 |
6 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_CSP_forbidden.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_CSP_forbidden,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_CSP_forbidden
6 | distinguishedName: CN=Computer_Online_CSP_forbidden,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_CSP_forbidden
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_CSP_forbidden
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: 4A==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 2048
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 4
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_CSP_forbidden.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 | Microsoft Software Key Storage Provider
5 |
6 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_DSA.inf:
--------------------------------------------------------------------------------
1 | [NewRequest]
2 | Subject="CN="
3 | KeyAlgorithm=DSA
4 | RequestType=PKCS10
5 | KeyLength=1024
6 | ProviderName="Microsoft Base DSS Cryptographic Provider"
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_DSA.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_DSA,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_DSA
6 | distinguishedName: CN=Computer_Online_DSA,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_DSA
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_DSA
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: 4A==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 9
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`DSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_DSA.xml:
--------------------------------------------------------------------------------
1 |
3 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_ECDH.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "Computer_Online_ECDH"
6 | }
7 |
8 | Describe 'Computer_Online_ECDH.Tests' {
9 |
10 | It 'Given the key is compliant, a certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=" -KeyAlgorithm ECDH_P256
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate -MachineContext
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | }
18 |
19 | It 'Given the key is not compliant, no certificate is issued (key is RSA)' {
20 |
21 | $Csr = New-CertificateRequest -Subject "CN=" -KeyAlgorithm RSA
22 | $Now = Get-Date
23 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate -MachineContext
24 |
25 | $Result.Disposition | Should -Be $CertCli.CR_DISP_DENIED
26 | $Result.StatusCodeInt | Should -Be $WinError.CERTSRV_E_KEY_LENGTH
27 |
28 | Test-AppEvent -Date $Now -Message "*The certificate request does not use a ECC key pair as required by the certificate template, but a RSA key pair." | Should -Be $True
29 | }
30 |
31 | <# DSA and ECDSA do not need to be tested as there are incompatible and will throw CERT_E_WRONG_USAGE by the default policy module #>
32 |
33 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_ECDH.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_ECDH,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_ECDH
6 | distinguishedName: CN=Computer_Online_ECDH,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_ECDH
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_ECDH
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: yA==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 8
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`ECDH_P256`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_ECDH.xml:
--------------------------------------------------------------------------------
1 |
3 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_ECDSA.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_ECDSA,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_ECDSA
6 | distinguishedName: CN=Computer_Online_ECDSA,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_ECDSA
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_ECDSA
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: 4A==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 7
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`ECDSA_P256`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_ECDSA.xml:
--------------------------------------------------------------------------------
1 |
3 | 384
4 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_NotAfter.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "Computer_Online_NotAfter"
6 | }
7 |
8 | Describe 'Computer_Online_NotAfter.Tests' {
9 |
10 | It 'Given an ExpirationDate is configured, a certificate is issued with correct NotAfter date' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=" -KeyAlgorithm ECDSA_P256
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate -MachineContext
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=$([System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName)"
18 | $Result.Certificate.NotAfter | Should -Be (Get-Date -Date "2034-12-31 23:59:59Z")
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_NotAfter.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_NotAfter,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_NotAfter
6 | distinguishedName: CN=Computer_Online_NotAfter,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_NotAfter
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_NotAfter
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: wA==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AIAuaRb7x/8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 6
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`ECDSA_P256`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_NotAfter.xml:
--------------------------------------------------------------------------------
1 |
2 | 2034-12-31T23:59:59.0000000+00:00
3 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_RSA.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_RSA,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_RSA
6 | distinguishedName: CN=Computer_Online_RSA,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_RSA
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_RSA
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: 4A==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 10
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_RSA.xml:
--------------------------------------------------------------------------------
1 |
3 | 1024
4 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_SubjectDN.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "Computer_Online_SubjectDN"
6 | }
7 |
8 | Describe 'Computer_Online_SubjectDN.Tests' {
9 |
10 | It 'Given a Subject RDN from DS mapping is enabled and not all attributes are populated, a certificate with desired content is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=" -KeyAlgorithm ECDSA_P256
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate -MachineContext
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=$($env:COMPUTERNAME)$"
18 | $Result.Certificate | Get-SubjectAlternativeNames | Select-Object -ExpandProperty SAN | Should -Contain "dNSName=$([System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName)"
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_SubjectDN.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_SubjectDN,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_SubjectDN
6 | distinguishedName: CN=Computer_Online_SubjectDN,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_SubjectDN
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_SubjectDN
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: wA==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 5
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`ECDSA_P256`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_SupplementServicePrincipalNames.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "Computer_Online_SupplementServicePrincipalNames"
6 | }
7 |
8 | Describe 'Computer_Online_SupplementServicePrincipalNames.Tests' {
9 |
10 | It 'Given SPNs are populated, SAN should contain them' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=" -KeyAlgorithm ECDSA_P256
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate -MachineContext
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=$([System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName)"
18 | $Result.Certificate | Get-SubjectAlternativeNames | Select-Object -ExpandProperty SAN | Should -Contain "dNSName=$([System.Net.Dns]::GetHostByName($env:COMPUTERNAME).HostName)"
19 | $Result.Certificate | Get-SubjectAlternativeNames | Select-Object -ExpandProperty SAN | Should -Contain "dNSName=$($env:COMPUTERNAME)"
20 | }
21 |
22 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_SupplementServicePrincipalNames.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_SupplementServicePrincipalNames,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_SupplementServicePrincipalNames
6 | distinguishedName: CN=Computer_Online_SupplementServicePrincipalNames,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_SupplementServicePrincipalNames
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_SupplementServicePrincipalNames
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: wA==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 4
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`ECDSA_P256`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_SupplementServicePrincipalNames.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | true
4 |
5 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_process_allowed.inf:
--------------------------------------------------------------------------------
1 | [NewRequest]
2 | Subject="CN="
3 | KeyAlgorithm=ECDSA_P256
4 | RequestType=PKCS10
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_process_allowed.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_process_allowed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_process_allowed
6 | distinguishedName: CN=Computer_Online_process_allowed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_process_allowed
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_process_allowed
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: wA==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 3
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`ECDSA_P256`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_process_allowed.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 | taskhostw.exe
5 | certreq.exe
6 |
7 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_process_forbidden.inf:
--------------------------------------------------------------------------------
1 | [NewRequest]
2 | Subject="CN="
3 | KeyAlgorithm=ECDSA_P256
4 | RequestType=PKCS10
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_process_forbidden.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=Computer_Online_process_forbidden,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: Computer_Online_process_forbidden
6 | distinguishedName: CN=Computer_Online_process_forbidden,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: Computer_Online_process_forbidden
9 | showInAdvancedViewOnly: TRUE
10 | name: Computer_Online_process_forbidden
11 | flags: 131680
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: wA==
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | msPKI-RA-Signature: 0
22 | msPKI-Enrollment-Flag: 32
23 | msPKI-Private-Key-Flag: 33685504
24 | msPKI-Certificate-Name-Flag: 1207959552
25 | msPKI-Minimal-Key-Size: 256
26 | msPKI-Template-Schema-Version: 3
27 | msPKI-Template-Minor-Revision: 2
28 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
29 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`ECDSA_P256`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`2`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
30 |
31 |
32 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/Computer_Online_process_forbidden.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 | mmc.exe
5 | powershell.exe
6 |
7 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer
6 | distinguishedName: CN=GenericWebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 4
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_AllRdnTypes.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_AllRdnTypes,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_AllRdnTypes
6 | distinguishedName: CN=GenericWebServer_AllRdnTypes,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_AllRdnTypes
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_AllRdnTypes
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 5
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_CSP_allowed.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_CSP_allowed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_CSP_allowed
6 | distinguishedName: CN=GenericWebServer_CSP_allowed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_CSP_allowed
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_CSP_allowed
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 5
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_CSP_allowed.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 | Microsoft Software Key Storage Provider
5 |
6 |
7 |
8 | commonName
9 | true
10 | 3
11 | 64
12 |
13 |
14 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
15 |
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_CSP_forbidden.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_CSP_forbidden,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_CSP_forbidden
6 | distinguishedName: CN=GenericWebServer_CSP_forbidden,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_CSP_forbidden
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_CSP_forbidden
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 6
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_CSP_forbidden.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 | Microsoft Software Key Storage Provider
5 |
6 |
7 |
8 | commonName
9 | true
10 | 3
11 | 64
12 |
13 |
14 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
15 |
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_NotAfter.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_NotAfter"
6 | }
7 |
8 | Describe 'GenericWebServer_NotAfter.Tests' {
9 |
10 | It 'Given an ExpirationDate is configured, a certificate is issued with correct NotAfter date' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal"
18 | $Result.Certificate.NotAfter | Should -Be (Get-Date -Date "2034-12-31 23:59:59Z")
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_NotAfter.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_NotAfter,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_NotAfter
6 | distinguishedName: CN=GenericWebServer_NotAfter,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_NotAfter
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_NotAfter
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AIAuaRb7x/8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 6
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_NotAfter.xml:
--------------------------------------------------------------------------------
1 |
3 | 2034-12-31T23:59:59.0000000+00:00
4 |
5 |
6 | commonName
7 | true
8 | 3
9 | 64
10 |
11 |
12 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_NotAfter_Audit.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_NotAfter_Audit"
6 | }
7 |
8 | Describe 'GenericWebServer_NotAfter_Audit.Tests' {
9 |
10 | It 'Given an ExpirationDate and Audit mode are configured, a certificate is issued with regular NotAfter date' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal"
18 | $Result.Certificate.NotAfter | Should -BeGreaterThan (Get-Date -Date "2034-12-31 23:59:59Z")
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_NotAfter_Audit.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_NotAfter_Audit,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_NotAfter_Audit
6 | distinguishedName: CN=GenericWebServer_NotAfter_Audit,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_NotAfter_Audit
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_NotAfter_Audit
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AIAuaRb7x/8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 7
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_NotAfter_Audit.xml:
--------------------------------------------------------------------------------
1 |
3 | 2034-12-31T23:59:59.0000000+01:00
4 | true
5 |
6 |
7 | commonName
8 | true
9 | 3
10 | 64
11 |
12 |
13 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_NotAfter_passed.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_NotAfter_passed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_NotAfter_passed
6 | distinguishedName: CN=GenericWebServer_NotAfter_passed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_NotAfter_passed
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_NotAfter_passed
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AIAuaRb7x/8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 7
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_NotAfter_passed.xml:
--------------------------------------------------------------------------------
1 |
3 | 2020-12-31T23:59:59.0000000+01:00
4 |
5 |
6 | commonName
7 | true
8 | 3
9 | 64
10 |
11 |
12 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_StaticSubject.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_StaticSubject"
6 | }
7 |
8 | Describe 'GenericWebServer_StaticSubject.Tests' {
9 |
10 | It 'Given a request doesnt contain it, a Subject RDN is supplemented' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal, O=Contoso Corp."
18 | }
19 |
20 | It 'Given a request does contain it, no Subject RDN is supplemented' {
21 |
22 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal, O=Fabrikam Inc."
23 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
24 |
25 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
26 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
27 | $Result.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal, O=Fabrikam Inc."
28 | }
29 |
30 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_StaticSubject.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_StaticSubject,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_StaticSubject
6 | distinguishedName: CN=GenericWebServer_StaticSubject,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_StaticSubject
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_StaticSubject
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 5
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_StaticSubject.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 | commonName
6 | true
7 |
8 |
9 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
10 |
11 |
12 |
13 |
14 | organizationName
15 |
16 |
17 | ^.*$
18 |
19 |
20 |
21 |
22 |
23 |
24 | dNSName
25 | false
26 |
27 |
28 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
29 |
30 |
31 |
32 |
33 |
34 |
35 | organizationName
36 | Contoso Corp.
37 |
38 |
39 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_StaticSubjectAlternativeName.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 | commonName
6 | true
7 |
8 |
9 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
10 |
11 |
12 |
13 |
14 |
15 |
16 | rfc822Name
17 |
18 |
19 | ^support\@adcslabor.de$
20 |
21 |
22 |
23 |
24 |
25 |
26 | rfc822Name
27 | info@adcslabor.de
28 |
29 |
30 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_StaticSubjectAlternativeName_Forced.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 | commonName
6 | true
7 |
8 |
9 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
10 |
11 |
12 |
13 |
14 |
15 |
16 | rfc822Name
17 |
18 |
19 | ^support\@adcslabor.de$
20 |
21 |
22 |
23 |
24 |
25 |
26 | rfc822Name
27 | info@adcslabor.de
28 | true
29 |
30 |
31 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_StaticSubject_Forced.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_StaticSubject_Forced"
6 | }
7 |
8 | Describe 'GenericWebServer_StaticSubject_Forced.Tests' {
9 |
10 | It 'Given a request doesnt contain it, a Subject RDN is supplemented' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal, O=Contoso Corp."
18 | }
19 |
20 | It 'Given a request does contain it, and the rule is set to enforce, a Subject RDN is supplemented' {
21 |
22 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal, O=Fabrikam Inc."
23 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
24 |
25 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
26 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
27 | $Result.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal, O=Contoso Corp."
28 | }
29 |
30 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_StaticSubject_Forced.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_StaticSubject_Forced,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_StaticSubject_Forced
6 | distinguishedName: CN=GenericWebServer_StaticSubject_Forced,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_StaticSubject_Forced
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_StaticSubject_Forced
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 6
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_StaticSubject_Forced.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 | commonName
6 | true
7 |
8 |
9 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
10 |
11 |
12 |
13 |
14 | organizationName
15 |
16 |
17 | ^.*$
18 |
19 |
20 |
21 |
22 |
23 |
24 | dNSName
25 | false
26 |
27 |
28 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
29 |
30 |
31 |
32 |
33 |
34 |
35 | organizationName
36 | Contoso Corp.
37 | true
38 |
39 |
40 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_SubjectFromRequest.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_SubjectFromRequest,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_SubjectFromRequest
6 | distinguishedName: CN=GenericWebServer_SubjectFromRequest,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_SubjectFromRequest
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_SubjectFromRequest
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 5
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_SubjectOnly.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_SubjectOnly"
6 | }
7 |
8 | # TODO: I don't understand what this test is good for...
9 |
10 | Describe 'GenericWebServer_SubjectOnly.Tests' {
11 |
12 | It 'Given a request is compliant, a certificate is issued' {
13 |
14 | # We explicitly dont't create this request with PSCertificateEnrollment as powershell.exe is not allowed in this test
15 | $RequestFileName1 = "$($env:temp)\$((New-Guid).Guid).req"
16 | $RequestFileName2 = "$($env:temp)\$((New-Guid).Guid).req"
17 | $SigningCertificate = (Get-ChildItem -Path Cert:\CurrentUser\My |
18 | Where-Object { $_.EnhancedKeyUsageList.ObjectId -Contains $Oid.XCN_OID_ENROLLMENT_AGENT }).Thumbprint
19 |
20 | $Csr1 = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal"
21 | $Csr1 | Out-File -FilePath $RequestFileName1 -Force
22 |
23 | (& certreq -q -cert $SigningCertificate -policy $RequestFileName1 "$PSScriptRoot\$($CertificateTemplate).inf" $RequestFileName2)
24 |
25 | $Csr2 = Get-Content -Path $RequestFileName2 -raw
26 |
27 | $Result = $Csr2 | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
28 |
29 | $Result.Disposition | Should -Be $CertCli.CR_DISP_DENIED
30 | $Result.StatusCodeInt | Should -Be $WinError.CERT_E_INVALID_NAME
31 | }
32 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_SubjectOnly.inf:
--------------------------------------------------------------------------------
1 | [Version]
2 | Signature="$Windows NT$"
3 |
4 | [Strings]
5 | SERVER_FQDN = "www.intra.tmctests.internal"
6 |
7 | szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
8 | szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
9 |
10 | [Extensions]
11 | %szOID_SUBJECT_ALT_NAME2% = "{text}dns=%SERVER_FQDN%"
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_SubjectOnly.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_SubjectOnly,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_SubjectOnly
6 | distinguishedName: CN=GenericWebServer_SubjectOnly,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_SubjectOnly
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_SubjectOnly
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 5
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_SubjectOnly.xml:
--------------------------------------------------------------------------------
1 |
3 | 2048
4 | 3072
5 |
6 |
7 | commonName
8 | true
9 | 64
10 |
11 |
12 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_brokenPolicy.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_brokenPolicy"
6 | }
7 |
8 | Describe 'GenericWebServer_brokenPolicy.Tests' {
9 |
10 | It 'Given the policy file is broken, no certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal" -KeyLength 2048
13 | $Now = Get-Date
14 |
15 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
16 |
17 | $Result.Disposition | Should -Be $CertCli.CR_DISP_DENIED
18 | $Result.StatusCodeInt | Should -Be $WinError.NTE_FAIL
19 |
20 | Test-AppEvent -Id 10 -Date $Now -Message "*There is an error in XML document (0, 0). Root element is missing." | Should -Be $True
21 | }
22 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_brokenPolicy.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_brokenPolicy,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_brokenPolicy
6 | distinguishedName: CN=GenericWebServer_brokenPolicy,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_brokenPolicy
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_brokenPolicy
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 6
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_brokenPolicy.xml:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_emptyPolicy.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_emptyPolicy"
6 | }
7 |
8 | Describe 'GenericWebServer_emptyPolicy.Tests' {
9 |
10 | It 'Given a request is not compliant, no certificate is issued (RDN type not defined)' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal" -KeyLength 2048
13 | $Now = Get-Date
14 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
15 |
16 | $Result.Disposition | Should -Be $CertCli.CR_DISP_DENIED
17 | $Result.StatusCodeInt | Should -Be $WinError.CERT_E_INVALID_NAME
18 |
19 | Test-AppEvent -Date $Now -Message "*The commonName field is not allowed." | Should -Be $True
20 | }
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_emptyPolicy.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_emptyPolicy,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_emptyPolicy
6 | distinguishedName: CN=GenericWebServer_emptyPolicy,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_emptyPolicy
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_emptyPolicy
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 6
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_emptyPolicy.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_emptyPolicy_Audit.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_emptyPolicy_Audit"
6 | }
7 |
8 | Describe 'GenericWebServer_emptyPolicy_Audit.Tests' {
9 |
10 | It 'Given a request is not compliant but policy is in Audit mode, a certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal" -KeyLength 2048
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | }
18 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_emptyPolicy_Audit.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_emptyPolicy_Audit,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_emptyPolicy_Audit
6 | distinguishedName: CN=GenericWebServer_emptyPolicy_Audit,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_emptyPolicy_Audit
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_emptyPolicy_Audit
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 7
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_emptyPolicy_Audit.xml:
--------------------------------------------------------------------------------
1 |
3 | true
4 |
5 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_noPolicy.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_noPolicy,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_noPolicy
6 | distinguishedName: CN=GenericWebServer_noPolicy,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_noPolicy
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_noPolicy
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 5
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_noPolicy_pending.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_noPolicy_pending,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_noPolicy_pending
6 | distinguishedName: CN=GenericWebServer_noPolicy_pending,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_noPolicy_pending
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_noPolicy_pending
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 2
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 6
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_pending.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_pending"
6 | }
7 |
8 | Describe 'GenericWebServer_pending.Tests' {
9 |
10 | It 'Given a pending request is resubmitted by an admin, a certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal"
13 | $Result1 = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | (& certutil -config $ConfigString -resubmit $Result1.RequestId)
16 |
17 | $Result2 = Get-IssuedCertificate -ConfigString $ConfigString -RequestId $Result1.RequestId
18 |
19 | $Result1.Disposition | Should -Be $CertCli.CR_DISP_UNDER_SUBMISSION
20 | $Result1.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
21 | $Result2.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
22 | $Result2.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
23 | $Result2.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal"
24 | }
25 |
26 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_pending.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_pending,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_pending
6 | distinguishedName: CN=GenericWebServer_pending,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_pending
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_pending
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 2
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 6
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_process_allowed.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "GenericWebServer_process_allowed"
6 |
7 | }
8 |
9 | Describe 'GenericWebServer_process_allowed.Tests' {
10 |
11 | It 'Given a request is compliant, a certificate is issued' {
12 |
13 | # We explicitly dont't create this request with PSCertificateEnrollment as powershell.exe is not allowed in this test
14 | $RequestFileName = "$($env:temp)\$((New-Guid).Guid).req"
15 | [void](& certreq.exe -new "$PSScriptRoot\$($CertificateTemplate).inf" $RequestFileName)
16 | $Csr = Get-Content -Path $RequestFileName -raw
17 |
18 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
19 |
20 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
21 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
22 | $Result.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal"
23 | }
24 |
25 | It 'Given a request is not compliant, no certificate is issued' {
26 |
27 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal"
28 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
29 |
30 | $Result.Disposition | Should -Be $CertCli.CR_DISP_DENIED
31 | $Result.StatusCodeInt | Should -Be $WinError.CERTSRV_E_TEMPLATE_DENIED
32 | }
33 |
34 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_process_allowed.inf:
--------------------------------------------------------------------------------
1 | [NewRequest]
2 | Subject="CN=www.intra.tmctests.internal"
3 | KeyAlgorithm=RSA
4 | KeyLength=2048
5 | RequestType=PKCS10
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_process_allowed.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_process_allowed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_process_allowed
6 | distinguishedName: CN=GenericWebServer_process_allowed,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_process_allowed
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_process_allowed
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 6
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_process_allowed.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 | taskhostw.exe
5 | certreq.exe
6 |
7 |
8 |
9 | commonName
10 | true
11 | 3
12 | 64
13 |
14 |
15 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
16 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_process_forbidden.inf:
--------------------------------------------------------------------------------
1 | [NewRequest]
2 | Subject="CN=www.intra.tmctests.internal"
3 | KeyAlgorithm=RSA
4 | KeyLength=2048
5 | RequestType=PKCS10
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_process_forbidden.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=GenericWebServer_process_forbidden,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: GenericWebServer_process_forbidden
6 | distinguishedName: CN=GenericWebServer_process_forbidden,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: GenericWebServer_process_forbidden
9 | showInAdvancedViewOnly: TRUE
10 | name: GenericWebServer_process_forbidden
11 | flags: 131649
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 0
24 | msPKI-Private-Key-Flag: 33685504
25 | msPKI-Certificate-Name-Flag: 1
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 7
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.1
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/GenericWebServer_process_forbidden.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 | mmc.exe
5 | powershell.exe
6 |
7 |
8 |
9 | commonName
10 | true
11 | 3
12 | 64
13 |
14 |
15 | ^[-_a-zA-Z0-9]*(\.intra)?(\.tmctests\.internal)$
16 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/SpecialChars.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "SpecialChars_Üöäß/&|()."
6 | }
7 |
8 | Describe 'SpecialChars_Üöäß/&|()..Tests' {
9 |
10 | It 'Given a certificate template name contains illegal characters, a certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=www.intra.tmctests.internal"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=www.intra.tmctests.internal"
18 | }
19 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/SpecialChars.ldf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/TameMyCerts.IntegrationTests/Tests/SpecialChars.ldf
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/TameMyCerts.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | Restart-Service -Name CertSvc
6 |
7 | do {
8 | Start-Sleep -Seconds 1
9 | } while (-not (Test-AdcsServiceAvailability))
10 | }
11 |
12 | Describe 'TameMyCerts.Tests' {
13 |
14 | It 'Given the module is installed, it is the active one' {
15 |
16 | $RegistryRoot = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$CaName\PolicyModules"
17 | $Active = (Get-ItemProperty -Path $RegistryRoot -Name Active).Active
18 | $Active | Should -Be "TameMyCerts.Policy"
19 | }
20 |
21 | It 'Given the module is installed, it is successfully loaded' {
22 |
23 | $Events = Get-WinEvent -FilterHashtable @{
24 | Logname='Application'; ProviderName='TameMyCerts'; Id=1; StartTime=$TestStartTime
25 | } -ErrorAction SilentlyContinue
26 |
27 | $Events.Count | Should -Be 1
28 | }
29 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/TestLabEnrollmentAgent.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=TestLabEnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: TestLabEnrollmentAgent
6 | distinguishedName: CN=TestLabEnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: TestLabEnrollmentAgent
9 | showInAdvancedViewOnly: TRUE
10 | name: TestLabEnrollmentAgent
11 | flags: 131616
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 2
15 | pKIKeyUsage:: gAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AIByDl3C/f8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1
21 | pKIDefaultCSPs: 2,Microsoft Base Cryptographic Provider v1.0
22 | pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 32
25 | msPKI-Private-Key-Flag: 33685504
26 | msPKI-Certificate-Name-Flag: -2113929216
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 2
29 | msPKI-Template-Minor-Revision: 2
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.4.1.311.20.2.1
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_DenyIfExisting.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "User_Offline_DenyIfExisting"
6 | }
7 |
8 | Describe 'User_Offline_DenyIfExisting.Tests' {
9 |
10 | It 'Given a user is not found, a certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -Upn "NonExistingUser@tmctests.internal"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
15 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
16 | }
17 |
18 | It 'Given a user is found, no certificate is issued' {
19 |
20 | $Csr = New-CertificateRequest -Upn "TestUser1@tmctests.internal"
21 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
22 |
23 | $Result.Disposition | Should -Be $CertCli.CR_DISP_DENIED
24 | $Result.StatusCodeInt | Should -Be $WinError.CERTSRV_E_TEMPLATE_DENIED
25 | }
26 |
27 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_DenyIfExisting.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_DenyIfExisting,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_DenyIfExisting
6 | distinguishedName: CN=User_Offline_DenyIfExisting,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_DenyIfExisting
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_DenyIfExisting
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKICriticalExtensions: 2.5.29.7
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 11
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_DenyIfExisting.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 | userPrincipalName
6 | true
7 | 64
8 |
9 |
10 | ^[a-zA-Z0-9]*(\@tmctests\.internal)$
11 |
12 |
13 |
14 |
15 |
16 | Deny
17 |
18 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_DsMapping.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_DsMapping,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_DsMapping
6 | distinguishedName: CN=User_Offline_DsMapping,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_DsMapping
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_DsMapping
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKICriticalExtensions: 2.5.29.7
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 10
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_DsMapping.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | userPrincipalName
5 | true
6 | 128
7 |
8 |
9 | ^[\-\.a-zA-Z0-9]*\@tmctests\.internal$
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_DsMapping_GroupMemberships.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | userPrincipalName
5 | true
6 | 128
7 |
8 |
9 | ^[\-\.a-zA-Z0-9]*\@tmctests\.internal$
10 |
11 |
12 |
13 |
14 |
15 |
16 | CN=An allowed Group,OU=TameMyCerts Groups,DC=tmctests,DC=internal
17 |
18 |
19 | CN=A forbidden Group,OU=TameMyCerts Groups,DC=tmctests,DC=internal
20 |
21 |
22 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_DsMapping_SearchRoot.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_DsMapping_SearchRoot,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_DsMapping_SearchRoot
6 | distinguishedName: CN=User_Offline_DsMapping_SearchRoot,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_DsMapping_SearchRoot
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_DsMapping_SearchRoot
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.7
18 | pKICriticalExtensions: 2.5.29.15
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 11
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_DsMapping_SearchRoot.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | userPrincipalName
5 | true
6 | 128
7 |
8 |
9 | ^[\-\.a-zA-Z0-9]*\@tmctests\.internal$
10 |
11 |
12 |
13 |
14 |
15 | OU=TameMyCerts Users,DC=tmctests,DC=internal
16 |
17 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Pattern.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "User_Offline_Pattern"
6 | }
7 |
8 | Describe 'User_Offline_Pattern.Tests' {
9 |
10 | It 'Given a DS attribute does not hit the blacklisted pattern, a certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -Upn "TestUser1@tmctests.internal"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | }
18 |
19 | It 'Given a DS attribute does hit the blacklisted pattern, no certificate is issued' {
20 |
21 | $Csr = New-CertificateRequest -Upn "TestUser2@tmctests.internal"
22 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
23 |
24 | $Result.Disposition | Should -Be $CertCli.CR_DISP_DENIED
25 | $Result.StatusCodeInt | Should -Be $WinError.CERTSRV_E_TEMPLATE_DENIED
26 | }
27 |
28 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Pattern.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_Pattern,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_Pattern
6 | distinguishedName: CN=User_Offline_Pattern,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_Pattern
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_Pattern
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.7
18 | pKICriticalExtensions: 2.5.29.15
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 13
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Pattern.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | userPrincipalName
5 | true
6 | 64
7 |
8 |
9 | ^[a-zA-Z0-9]*(\@tmctests\.internal)$
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 | userPrincipalName
18 | true
19 |
20 |
21 | ^[a-zA-Z]*1(\@tmctests\.internal)$
22 |
23 |
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Add.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_Sid_Add,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_Sid_Add
6 | distinguishedName: CN=User_Offline_Sid_Add,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_Sid_Add
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_Sid_Add
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.7
18 | pKICriticalExtensions: 2.5.29.15
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 16
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Add.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | commonName
5 | true
6 | 64
7 |
8 |
9 | ^[a-zA-Z0-9]*$
10 |
11 |
12 |
13 |
14 |
15 |
16 | commonName
17 | sAMAccountName
18 |
19 | Add
20 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_AddUri.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "User_Offline_Sid_AddUri"
6 |
7 | Import-Module -Name ActiveDirectory
8 | }
9 |
10 | Describe 'User_Offline_Sid_AddUri.Tests' {
11 |
12 | It 'Given DS mapping is enabled with SID Uri, it is added to the issued certificate' {
13 |
14 | $MySelf = Get-ADUser -Identity $env:Username
15 | $MySID = $MySelf.SID
16 |
17 | $Csr = New-CertificateRequest -Subject "CN=$($MySelf.Name)"
18 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
19 |
20 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
21 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
22 | $Result.Certificate | Get-SubjectAlternativeNames | Select-Object -ExpandProperty SAN | Should -Contain "uniformResourceIdentifier=tag:microsoft.com,2022-09-14:sid:$MySID"
23 |
24 | }
25 |
26 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_AddUri.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_Sid_AddUri,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_Sid_AddUri
6 | distinguishedName: CN=User_Offline_Sid_AddUri,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_Sid_AddUri
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_Sid_AddUri
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.7
18 | pKICriticalExtensions: 2.5.29.15
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 17
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_AddUri.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | commonName
5 | true
6 | 64
7 |
8 |
9 | ^[a-zA-Z0-9]*$
10 |
11 |
12 |
13 |
14 |
15 |
16 | commonName
17 | sAMAccountName
18 | true
19 |
20 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Allow.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "User_Offline_Sid_Allow"
6 | }
7 |
8 | Describe 'User_Offline_Sid_Allow.Tests' {
9 |
10 | It 'Given a SID extension is requested, a certificate with SID extension is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=TestUser1" -Sid "S-1-5-21-1471894826-1984196480-850735463-500"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | [bool]($Result.Certificate.Extensions | Where-Object {$_.Oid.Value -eq $Oid.szOID_DS_CA_SECURITY_EXT }) |
18 | Should -Be $True
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Allow.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_Sid_Allow,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_Sid_Allow
6 | distinguishedName: CN=User_Offline_Sid_Allow,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_Sid_Allow
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_Sid_Allow
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.7
18 | pKICriticalExtensions: 2.5.29.15
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 14
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Allow.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | commonName
5 | true
6 | 64
7 |
8 |
9 | ^[a-zA-Z0-9]*$
10 |
11 |
12 |
13 |
14 | Allow
15 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Deny.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_Sid_Deny,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_Sid_Deny
6 | distinguishedName: CN=User_Offline_Sid_Deny,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_Sid_Deny
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_Sid_Deny
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKICriticalExtensions: 2.5.29.7
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 13
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Deny.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | commonName
5 | true
6 | 64
7 |
8 |
9 | ^[a-zA-Z0-9]*$
10 |
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Remove.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "User_Offline_Sid_Remove"
6 | }
7 |
8 | Describe 'User_Offline_Sid_Remove.Tests' {
9 |
10 | It 'Given a SID extension is requested, a certificate without SID extension is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=TestUser1" -Sid "S-1-5-21-1471894826-1984196480-850735463-500"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | [bool]($Result.Certificate.Extensions | Where-Object {$_.Oid.Value -eq $Oid.szOID_DS_CA_SECURITY_EXT }) |
18 | Should -Be $False
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Remove.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_Sid_Remove,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_Sid_Remove
6 | distinguishedName: CN=User_Offline_Sid_Remove,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_Sid_Remove
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_Sid_Remove
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKICriticalExtensions: 2.5.29.7
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 15
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_Sid_Remove.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | commonName
5 | true
6 | 64
7 |
8 |
9 | ^[a-zA-Z0-9]*$
10 |
11 |
12 |
13 |
14 | Remove
15 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_SubjectAltName_Mandatory.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_SubjectAltName_Mandatory,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_SubjectAltName_Mandatory
6 | distinguishedName: CN=User_Offline_SubjectAltName_Mandatory,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_SubjectAltName_Mandatory
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_SubjectAltName_Mandatory
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKICriticalExtensions: 2.5.29.7
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 12
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_SubjectAltName_Mandatory.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | commonName
5 | true
6 | 64
7 |
8 |
9 | ^[a-zA-Z0-9]*$
10 |
11 |
12 |
13 |
14 |
15 | commonName
16 | sAMAccountName
17 |
18 |
19 |
20 | userPrincipalName
21 | {ad:userPrincipalName}
22 | true
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_SubjectDN.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "User_Offline_SubjectDN"
6 | }
7 |
8 | Describe 'User_Offline_SubjectDN.Tests' {
9 |
10 | It 'Given a Subject RDN from DS mapping is enabled and not all attributes are populated, a certificate with desired content is issued' {
11 |
12 | $Csr = New-CertificateRequest -Upn "TestUser2@tmctests.internal"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | $Result.Certificate.Subject | Should -Be "CN=testuser2@tmctests.internal, G=Test, SN=User 2"
18 | }
19 |
20 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_SubjectDN.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_SubjectDN,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_SubjectDN
6 | distinguishedName: CN=User_Offline_SubjectDN,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_SubjectDN
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_SubjectDN
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.7
18 | pKICriticalExtensions: 2.5.29.15
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 12
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_SubjectDN_Mandatory.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_SubjectDN_Mandatory,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_SubjectDN_Mandatory
6 | distinguishedName: CN=User_Offline_SubjectDN_Mandatory,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_SubjectDN_Mandatory
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_SubjectDN_Mandatory
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKICriticalExtensions: 2.5.29.7
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 11
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_SubjectDN_same.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "User_Offline_SubjectDN_same"
6 | }
7 |
8 | Describe 'User_Offline_SubjectDN_same.Tests' {
9 |
10 | It 'Given a Subject RDN from the CSR is to be written into the outbound DN, a certificate with desired content is issued' {
11 |
12 | $CN = "Thismuststaythesame"
13 | $Csr = New-CertificateRequest -Subject "CN=$CN"
14 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
15 |
16 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
17 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
18 | $Result.Certificate.Subject | Should -Be "CN=$CN"
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_SubjectDN_same.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_SubjectDN_same,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_SubjectDN_same
6 | distinguishedName: CN=User_Offline_SubjectDN_same,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_SubjectDN_same
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_SubjectDN_same
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKICriticalExtensions: 2.5.29.7
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 14
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_SubjectDN_same.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 | commonName
6 | true
7 | 64
8 |
9 |
10 | ^[a-zA-Z0-9]*$
11 |
12 |
13 |
14 |
15 |
16 |
17 | commonName
18 | {sdn:commonName}
19 | true
20 | true
21 |
22 |
23 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_noPolicy.Tests.ps1:
--------------------------------------------------------------------------------
1 | BeforeAll {
2 |
3 | . "C:\INSTALL\TameMyCerts\Tests\lib\Init.ps1"
4 |
5 | $CertificateTemplate = "User_Offline_noPolicy"
6 | }
7 |
8 | Describe 'User_Offline_noPolicy.Tests' {
9 |
10 | It 'Given a SID extension is requested, a certificate is issued' {
11 |
12 | $Csr = New-CertificateRequest -Subject "CN=TestUser1" -Sid "S-1-5-21-1471894826-1984196480-850735463-500"
13 | $Result = $Csr | Get-IssuedCertificate -ConfigString $ConfigString -CertificateTemplate $CertificateTemplate
14 |
15 | $Result.Disposition | Should -Be $CertCli.CR_DISP_ISSUED
16 | $Result.StatusCodeInt | Should -Be $WinError.ERROR_SUCCESS
17 | [bool]($Result.Certificate.Extensions | Where-Object {$_.Oid.Value -eq $Oid.szOID_DS_CA_SECURITY_EXT }) |
18 | Should -Be $True
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Offline_noPolicy.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Offline_noPolicy,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Offline_noPolicy
6 | distinguishedName: CN=User_Offline_noPolicy,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Offline_noPolicy
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Offline_noPolicy
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKICriticalExtensions: 2.5.29.7
19 | pKIExpirationPeriod:: AEAepOhl+v8=
20 | pKIOverlapPeriod:: AICmCv/e//8=
21 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
22 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
23 | msPKI-RA-Signature: 0
24 | msPKI-Enrollment-Flag: 0
25 | msPKI-Private-Key-Flag: 33685520
26 | msPKI-Certificate-Name-Flag: 1
27 | msPKI-Minimal-Key-Size: 2048
28 | msPKI-Template-Schema-Version: 3
29 | msPKI-Template-Minor-Revision: 17
30 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
31 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
32 |
33 |
34 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Online.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Online,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Online
6 | distinguishedName: CN=User_Online,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Online
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Online
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 32
24 | msPKI-Private-Key-Flag: 33685520
25 | msPKI-Certificate-Name-Flag: 1107296256
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 17
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Online_YubiKey.ldf:
--------------------------------------------------------------------------------
1 | dn: CN=User_Online_YubiKey,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
2 | changetype: add
3 | objectClass: top
4 | objectClass: pKICertificateTemplate
5 | cn: User_Online_YubiKey
6 | distinguishedName: CN=User_Online_YubiKey,CN=Certificate Templates,CN=Public Key Services,CN=Services,{ConfigNC}
7 | instanceType: 4
8 | displayName: User_Online_YubiKey
9 | showInAdvancedViewOnly: TRUE
10 | name: User_Online_YubiKey
11 | flags: 131642
12 | revision: 100
13 | objectCategory: CN=PKI-Certificate-Template,CN=Schema,{ConfigNC}
14 | pKIDefaultKeySpec: 1
15 | pKIKeyUsage:: oAA=
16 | pKIMaxIssuingDepth: 0
17 | pKICriticalExtensions: 2.5.29.15
18 | pKIExpirationPeriod:: AEAepOhl+v8=
19 | pKIOverlapPeriod:: AICmCv/e//8=
20 | pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2
21 | pKIDefaultCSPs: 1,Microsoft Software Key Storage Provider
22 | msPKI-RA-Signature: 0
23 | msPKI-Enrollment-Flag: 32
24 | msPKI-Private-Key-Flag: 33685520
25 | msPKI-Certificate-Name-Flag: 1107296256
26 | msPKI-Minimal-Key-Size: 2048
27 | msPKI-Template-Schema-Version: 3
28 | msPKI-Template-Minor-Revision: 18
29 | msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2
30 | msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`
31 |
32 |
33 |
--------------------------------------------------------------------------------
/TameMyCerts.IntegrationTests/Tests/User_Online_YubiKey.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/TameMyCerts.SBOM.md:
--------------------------------------------------------------------------------
1 | | Reference | Version | License Type | License |
2 | | ----------------------------- | ------- | ------------ | -------------------------------------------------------- |
3 | | Microsoft.CSharp | 4.7.0 | MIT | https://licenses.nuget.org/MIT |
4 | | System.Data.DataSetExtensions | 4.5.0 | MIT | https://github.com/dotnet/corefx/blob/master/LICENSE.TXT |
5 | | System.Diagnostics.EventLog | 8.0.1 | MIT | https://licenses.nuget.org/MIT |
6 | | System.DirectoryServices | 8.0.0 | MIT | https://licenses.nuget.org/MIT |
7 |
--------------------------------------------------------------------------------
/TameMyCerts.Tests.SBOM.md:
--------------------------------------------------------------------------------
1 | | Reference | Version | License Type | License |
2 | | ------------------------- | ------- | ------------ | ------------------------------------- |
3 | | Microsoft.NET.Test.Sdk | 17.13.0 | MIT | https://licenses.nuget.org/MIT |
4 | | xunit | 2.9.3 | Apache-2.0 | https://licenses.nuget.org/Apache-2.0 |
5 | | xunit.runner.visualstudio | 3.0.2 | Apache-2.0 | https://licenses.nuget.org/Apache-2.0 |
6 |
--------------------------------------------------------------------------------
/TameMyCerts.Tests/ETWLoggerListener.cs:
--------------------------------------------------------------------------------
1 | using System.Collections.Generic;
2 | using System.Diagnostics.Tracing;
3 |
4 | namespace TameMyCerts.Tests;
5 |
6 | public class ETWLoggerListener : EventListener
7 | {
8 | public List Events { get; } = new();
9 |
10 | protected override void OnEventWritten(EventWrittenEventArgs eventData)
11 | {
12 | Events.Add(eventData);
13 | }
14 |
15 | public void ClearEvents()
16 | {
17 | Events.Clear();
18 | }
19 |
20 | protected override void OnEventSourceCreated(EventSource eventSource)
21 | {
22 | if (eventSource.Name == "TameMyCerts-TameMyCerts-Policy")
23 | {
24 | EnableEvents(eventSource, EventLevel.LogAlways, (EventKeywords)(-1));
25 | }
26 | }
27 | }
--------------------------------------------------------------------------------
/TameMyCerts.Tests/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 | [assembly: AssemblyTrademark("")]
5 | [assembly: AssemblyCulture("")]
6 |
7 | [assembly: ComVisible(false)]
8 |
9 | [assembly: Guid("98f86aa9-4b95-4300-9a23-512c620d075c")]
10 |
--------------------------------------------------------------------------------
/TameMyCerts.Tests/Resources/YubiKeyValidator/Yubico_Attestation_Intermediate_B_1.cer:
--------------------------------------------------------------------------------
1 | MIIDSDCCAjCgAwIBAgIUDqERw+4RnGSggxgUewJFEPDRZ3YwDQYJKoZIhvcNAQEL
2 | BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
3 | MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowLjEsMCoGA1UEAwwjWXViaWNvIEF0
4 | dGVzdGF0aW9uIEludGVybWVkaWF0ZSBCIDEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
5 | DwAwggEKAoIBAQDI7XnH+ZvDwMCQU8M8ZeV5qscublvVYaaRt3Ybaxn9godLx5sw
6 | H0lXrdgjh5h7FpVgCgYYX7E4bl1vbzULemrMWT8N3WMGUe8QAJbBeioV7W/E+hTZ
7 | P/0SKJVa3ewKBo6ULeMnfQZDrVORAk8wTLq2v5Llj5vMj7JtOotKa9J7nHS8kLmz
8 | XXSaj0SwEPh5OAZUTNV4zs1bvoTAQQWrL4/J9QuKt6WCFE5nUNiRQcEbVF8mlqK2
9 | bx2z6okVltyDVLCxYbpUTELvY1usR3DTGPUoIClOm4crpwnDRLVHvjYePGBB//pE
10 | yzxA/gcScxjwaH1ZUw9bnSbHyurKqbTa1KvjAgMBAAGjZjBkMB0GA1UdDgQWBBTq
11 | t0KQngx7ZHrbVHwDunxOn9ihYTAfBgNVHSMEGDAWgBTS7u9aIo06bVwjlz3yhdUm
12 | 8SV7kjASBgNVHRMBAf8ECDAGAQH/AgECMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
13 | 9w0BAQsFAAOCAQEAqQaCWMxTGqVVX7Sk7kkJmUueTSYKuU6+KBBSgwIRnlw9K7He
14 | 1IpxZ0hdwpPNikKjmcyFgFPzhImwHJgxxuT90Pw3vYOdcJJNktDg35PXOfzSn15c
15 | FAx1RO0mPTmIb8dXiEWOpzoXvdwXDM41ZaCDYMT7w4IQtMyvE7xUBZq2bjtAnq/N
16 | DUA7be4H8H3ipC+/+NKlUrcUh+j48K67WI0u1m6FeQueBA7n06j825rqDqsaLs9T
17 | b7KAHAw8PmrWaNPG2kjKerxPEfecivlFawp2RWZvxrVtn3TV2SBxyCJCkXsND05d
18 | CErVHSJIs+BdtTVNY9AwtyPmnyb0v4mSTzvWdw==
--------------------------------------------------------------------------------
/TameMyCerts.Tests/Resources/YubiKeyValidator/Yubico_Attestation_Root_1.cer:
--------------------------------------------------------------------------------
1 | MIIDPjCCAiagAwIBAgIUXzeiEDJEOTt14F5n0o6Zf/bBwiUwDQYJKoZIhvcNAQEN
2 | BQAwJDEiMCAGA1UEAwwZWXViaWNvIEF0dGVzdGF0aW9uIFJvb3QgMTAgFw0yNDEy
3 | MDEwMDAwMDBaGA85OTk5MTIzMTIzNTk1OVowJDEiMCAGA1UEAwwZWXViaWNvIEF0
4 | dGVzdGF0aW9uIFJvb3QgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
5 | AMZ6/TxM8rIT+EaoPvG81ontMOo/2mQ2RBwJHS0QZcxVaNXvl12LUhBZ5LmiBScI
6 | Zd1Rnx1od585h+/dhK7hEm7JAALkKKts1fO53KGNLZujz5h3wGncr4hyKF0G74b/
7 | U3K9hE5mGND6zqYchCRAHfrYMYRDF4YL0X4D5nGdxvppAy6nkEmtWmMnwO3i0TAu
8 | csrbE485HvGM4r0VpgVdJpvgQjiTJCTIq+D35hwtT8QDIv+nGvpcyi5wcIfCkzyC
9 | imJukhYy6KoqNMKQEdpNiSOvWyDMTMt1bwCvEzpw91u+msUt4rj0efnO9s0ZOwdw
10 | MRDnH4xgUl5ZLwrrPkfC1/0CAwEAAaNmMGQwHQYDVR0OBBYEFNLu71oijTptXCOX
11 | PfKF1SbxJXuSMB8GA1UdIwQYMBaAFNLu71oijTptXCOXPfKF1SbxJXuSMBIGA1Ud
12 | EwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBDQUAA4IB
13 | AQC3IW/sgB9pZ8apJNjxuGoX+FkILks0wMNrdXL/coUvsrhzsvl6mePMrbGJByJ1
14 | XnquB5sgcRENFxdQFma3mio8Upf1owM1ZreXrJ0mADG2BplqbJnxiyYa+R11reIF
15 | TWeIhMNcZKsDZrFAyPuFjCWSQvJmNWe9mFRYFgNhXJKkXIb5H1XgEDlwiedYRM7V
16 | olBNlld6pRFKlX8ust6OTMOeADl2xNF0m1LThSdeuXvDyC1g9+ILfz3S6OIYgc3i
17 | roRcFD354g7rKfu67qFAw9gC4yi0xBTPrY95rh4/HqaUYCA/L8ldRk6H7Xk35D+W
18 | Vpmq2Sh/xT5HiFuhf4wJb0bK
--------------------------------------------------------------------------------
/TameMyCerts.Tests/Resources/YubiKeyValidator/Yubico_PIV_Attestation_B_1.cer:
--------------------------------------------------------------------------------
1 | MIIDSTCCAjGgAwIBAgIUWVf2oJG+t1qP8t8TicWgJ2KYan4wDQYJKoZIhvcNAQEL
2 | BQAwLjEsMCoGA1UEAwwjWXViaWNvIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZSBC
3 | IDEwIBcNMjQxMjAxMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMCUxIzAhBgNVBAMM
4 | Gll1YmljbyBQSVYgQXR0ZXN0YXRpb24gQiAxMIIBIjANBgkqhkiG9w0BAQEFAAOC
5 | AQ8AMIIBCgKCAQEAv7WBL9/5AKxSpCMoL63183WqRtFrOHY7tdyuGtoidoYWQrxV
6 | aV9S+ZwH0aynh0IzD5A/PvCtuxdtL5w2cAI3tgsborOlEert4IZ904CZQfq3ooar
7 | 1an/wssbtMpPOQkC3MQiqrUyHlFS2BTbuwbBXY66lSVX/tGRuUgnBdfBJtcQKS6M
8 | O4bU5ndPQqhGPyzcyY1LvlfzK7KJ1r/bixCRFqjhJRnPs0Czpg6rkRrFgC6cd5bK
9 | 1UgTsJy+3wrIqkv4CeV3EhSVnhnQjZgIrdIcI5WZ8T1Oq3OhMlWmY0K0dy/oZdP/
10 | bpbG2qbyHLa6gprLT/qChQWLmffxn6D2DAB1zQIDAQABo2YwZDAdBgNVHQ4EFgQU
11 | M0Nt3QHo7eGzaKMZn2SmXT74vpcwHwYDVR0jBBgwFoAU6rdCkJ4Me2R621R8A7p8
12 | Tp/YoWEwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI
13 | hvcNAQELBQADggEBAI0HwoS84fKMUyIof1LdUXvyeAMmEwW7+nVETvxNNlTMuwv7
14 | zPJ4XZAm9Fv95tz9CqZBj6l1PAPQn6Zht9LQA92OF7W7buuXuxuusBTgLM0C1iX2
15 | CGXqY/k/uSNvi3ZYfrpd44TIrfrr8bCG9ux7B5ZCRqb8adDUm92Yz3lK1aX2M6Cw
16 | jC9IZVTXQWhLyP8Ys3p7rb20CO2jJzV94deJ/+AsEb+bnCQImPat1GDKwrBosar+
17 | BxtU7k6kgkxZ0G384O59GFXqnwkbw2b5HhORvOsX7nhOUhePFufzi1vT1g8Tzbwr
18 | +TUfTwo2biKHHcI762KGtp8o6Bcv5y8WgExFuWY=
--------------------------------------------------------------------------------
/TameMyCerts.Tests/Resources/YubiKeyValidator/Yubico_PIV_Root_CA_Serial_263751.cer:
--------------------------------------------------------------------------------
1 | MIIDFzCCAf+gAwIBAgIDBAZHMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIFl1
2 | YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAwMDAwMFoY
3 | DzIwNTIwNDE3MDAwMDAwWjArMSkwJwYDVQQDDCBZdWJpY28gUElWIFJvb3QgQ0Eg
4 | U2VyaWFsIDI2Mzc1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN2
5 | cMTNR6YCdcTFRxuPy31PabRn5m6pJ+nSE0HRWpoaM8fc8wHC+Tmb98jmNvhWNE2E
6 | ilU85uYKfEFP9d6Q2GmytqBnxZsAa3KqZiCCx2LwQ4iYEOb1llgotVr/whEpdVOq
7 | joU0P5e1j1y7OfwOvky/+AXIN/9Xp0VFlYRk2tQ9GcdYKDmqU+db9iKwpAzid4oH
8 | BVLIhmD3pvkWaRA2H3DA9t7H/HNq5v3OiO1jyLZeKqZoMbPObrxqDg+9fOdShzgf
9 | wCqgT3XVmTeiwvBSTctyi9mHQfYd2DwkaqxRnLbNVyK9zl+DzjSGp9IhVPiVtGet
10 | X02dxhQnGS7K6BO0Qe8CAwEAAaNCMEAwHQYDVR0OBBYEFMpfyvLEojGc6SJf8ez0
11 | 1d8Cv4O/MA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
12 | DQEBCwUAA4IBAQBc7Ih8Bc1fkC+FyN1fhjWioBCMr3vjneh7MLbA6kSoyWF70N3s
13 | XhbXvT4eRh0hvxqvMZNjPU/VlRn6gLVtoEikDLrYFXN6Hh6Wmyy1GTnspnOvMvz2
14 | lLKuym9KYdYLDgnj3BeAvzIhVzzYSeU77/Cupofj093OuAswW0jYvXsGTyix6B3d
15 | bW5yWvyS9zNXaqGaUmP3U9/b6DlHdDogMLu3VLpBB9bm5bjaKWWJYgWltCVgUbFq
16 | Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8
17 | SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7
--------------------------------------------------------------------------------
/TameMyCerts.Tests/X509CertificateExtensionSecurityIdentifierTests.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Security.Principal;
3 | using TameMyCerts.X509;
4 | using Xunit;
5 |
6 | namespace TameMyCerts.Tests;
7 |
8 | public class X509CertificateExtensionSecurityIdentifierTests
9 | {
10 | [Fact]
11 | public void Building()
12 | {
13 | const string expectedResult =
14 | "MD+gPQYKKwYBBAGCNxkCAaAvBC1TLTEtNS0yMS0xMzgxMTg2MDUyLTQyNDc2OTIz" +
15 | "ODYtMTM1OTI4MDc4LTEyMjU=";
16 |
17 | const string sid = "S-1-5-21-1381186052-4247692386-135928078-1225";
18 |
19 | var sidExt = new X509CertificateExtensionSecurityIdentifier(new SecurityIdentifier(sid));
20 |
21 | Assert.Equal(expectedResult, Convert.ToBase64String(sidExt.RawData));
22 | }
23 | }
--------------------------------------------------------------------------------
/TameMyCerts/AutoVersionIncrement.cs:
--------------------------------------------------------------------------------
1 | // This code was automatically generated. Do not make any manual changes to it.
2 |
3 | using System.Reflection;
4 |
5 | // Version information for an assembly consists of the following four values:
6 | //
7 | // Major Version
8 | // Minor Version
9 | // Build Number
10 | // Revision
11 |
12 | [assembly: AssemblyVersion("1.7.1609.1089")]
13 | [assembly: AssemblyFileVersion("1.7.1609.1089")]
14 |
--------------------------------------------------------------------------------
/TameMyCerts/AutoVersionIncrement.tt:
--------------------------------------------------------------------------------
1 | <#@ template language="C#" #>
2 | // This code was automatically generated. Do not make any manual changes to it.
3 |
4 | using System.Reflection;
5 |
6 | // Version information for an assembly consists of the following four values:
7 | //
8 | // Major Version
9 | // Minor Version
10 | // Build Number
11 | // Revision
12 |
13 | [assembly: AssemblyVersion("1.7.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")]
14 | [assembly: AssemblyFileVersion("1.7.<#= this.BuildNumber #>.<#= this.RevisionNumber #>")]
15 | <#+
16 | // Days that have passed since Jan 1, 2021 00:00:00
17 | int BuildNumber = (int)(DateTime.UtcNow - new DateTime(
18 | 2021,
19 | 1,
20 | 1,
21 | 0,
22 | 0,
23 | 0)
24 | ).TotalDays;
25 |
26 | // Minutes that have passed since today 00:00:00
27 | int RevisionNumber = (int)(DateTime.UtcNow - new DateTime(
28 | (DateTime.UtcNow.Year),
29 | (DateTime.UtcNow.Month),
30 | (DateTime.UtcNow.Day),
31 | 0,
32 | 0,
33 | 0)
34 | ).TotalMinutes;
35 | #>
--------------------------------------------------------------------------------
/TameMyCerts/CERTCLILIB.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/TameMyCerts/CERTCLILIB.dll
--------------------------------------------------------------------------------
/TameMyCerts/CERTCLILIB.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/TameMyCerts/CERTCLILIB.res
--------------------------------------------------------------------------------
/TameMyCerts/CERTPOLICYLIB.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/TameMyCerts/CERTPOLICYLIB.dll
--------------------------------------------------------------------------------
/TameMyCerts/CERTPOLICYLIB.res:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/TameMyCerts/CERTPOLICYLIB.res
--------------------------------------------------------------------------------
/TameMyCerts/ClassExtensions/ByteArrayExtensions.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2021-2025 Uwe Gradenegger
2 |
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 |
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System;
16 |
17 | namespace TameMyCerts.ClassExtensions;
18 |
19 | internal static class ByteArrayExtensions
20 | {
21 | public static byte[] TrimEnd(this byte[] array)
22 | {
23 | var lastIndex = Array.FindLastIndex(array, b => b != 0);
24 |
25 | Array.Resize(ref array, lastIndex + 1);
26 |
27 | return array;
28 | }
29 | }
--------------------------------------------------------------------------------
/TameMyCerts/ClassExtensions/StringExtensions.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2021-2025 Uwe Gradenegger
2 |
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 |
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Text.RegularExpressions;
16 |
17 | namespace TameMyCerts.ClassExtensions;
18 |
19 | public static class StringExtensions
20 | {
21 | public static string ReplaceCaseInsensitive(this string input, string from, string to)
22 | {
23 | return Regex.Replace(input, from, to, RegexOptions.IgnoreCase);
24 | }
25 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/CaType.cs:
--------------------------------------------------------------------------------
1 | namespace TameMyCerts.Enums;
2 |
3 | ///
4 | /// Certification authority types from CertSrv.h
5 | ///
6 | internal enum CaType
7 | {
8 | ENUM_ENTERPRISE_ROOTCA = 0,
9 | ENUM_ENTERPRISE_SUBCA = 1,
10 | ENUM_STANDALONE_ROOTCA = 3,
11 | ENUM_STANDALONE_SUBCA = 4
12 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/CertCli.cs:
--------------------------------------------------------------------------------
1 | namespace TameMyCerts.Enums;
2 |
3 | ///
4 | /// Constants from CertCli.h
5 | ///
6 | internal static class CertCli
7 | {
8 | public const int CR_IN_PKCS10 = 0x100;
9 | public const int CR_IN_KEYGEN = 0x200;
10 | public const int CR_IN_PKCS7 = 0x300;
11 | public const int CR_IN_CMC = 0x400;
12 | public const int CR_IN_FULLRESPONSE = 0x40000;
13 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/CertSrv.cs:
--------------------------------------------------------------------------------
1 | namespace TameMyCerts.Enums;
2 |
3 | ///
4 | /// Constants from CertSrv.h
5 | ///
6 | internal static class CertSrv
7 | {
8 | public const int VR_PENDING = 0;
9 | public const int VR_INSTANT_OK = 1;
10 | public const int VR_INSTANT_BAD = 2;
11 |
12 | public const int CERTLOG_MINIMAL = 0;
13 | public const int CERTLOG_TERSE = 1;
14 | public const int CERTLOG_ERROR = 2;
15 | public const int CERTLOG_WARNING = 3;
16 | public const int CERTLOG_VERBOSE = 4;
17 | public const int CERTLOG_EXHAUSTIVE = 5;
18 |
19 | public const int PROPTYPE_LONG = 1;
20 | public const int PROPTYPE_DATE = 2;
21 | public const int PROPTYPE_BINARY = 3;
22 | public const int PROPTYPE_STRING = 4;
23 | public const int PROPTYPE_ANSI = 5;
24 |
25 | public const int EXTENSION_CRITICAL_FLAG = 0x00000001;
26 | public const int EXTENSION_DISABLE_FLAG = 0x00000002;
27 | public const int EXTENSION_DELETE_FLAG = 0x00000004;
28 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/EditFlag.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | // From CertSrv.h
6 | [Flags]
7 | internal enum EditFlag : uint
8 | {
9 | EDITF_ENABLEREQUESTEXTENSIONS = 0x00000001,
10 | EDITF_REQUESTEXTENSIONLIST = 0x00000002,
11 | EDITF_DISABLEEXTENSIONLIST = 0x00000004,
12 | EDITF_ADDOLDKEYUSAGE = 0x00000008,
13 | EDITF_ADDOLDCERTTYPE = 0x00000010,
14 | EDITF_ATTRIBUTEENDDATE = 0x00000020,
15 | EDITF_BASICCONSTRAINTSCRITICAL = 0x00000040,
16 | EDITF_BASICCONSTRAINTSCA = 0x00000080,
17 | EDITF_ENABLEAKIKEYID = 0x00000100,
18 | EDITF_ATTRIBUTECA = 0x00000200,
19 | EDITF_IGNOREREQUESTERGROUP = 0x00000400,
20 | EDITF_ENABLEAKIISSUERNAME = 0x00000800,
21 | EDITF_ENABLEAKIISSUERSERIAL = 0x00001000,
22 | EDITF_ENABLEAKICRITICAL = 0x00002000,
23 | EDITF_SERVERUPGRADED = 0x00004000,
24 | EDITF_ATTRIBUTEEKU = 0x00008000,
25 | EDITF_ENABLEDEFAULTSMIME = 0x00010000,
26 | EDITF_EMAILOPTIONAL = 0x00020000,
27 | EDITF_ATTRIBUTESUBJECTALTNAME2 = 0x00040000,
28 | EDITF_ENABLELDAPREFERRALS = 0x00080000,
29 | EDITF_ENABLECHASECLIENTDC = 0x00100000,
30 | EDITF_AUDITCERTTEMPLATELOAD = 0x00200000,
31 | EDITF_DISABLEOLDOSCNUPN = 0x00400000,
32 | EDITF_DISABLELDAPPACKAGELIST = 0x00800000,
33 | EDITF_ENABLEUPNMAP = 0x01000000,
34 | EDITF_ENABLEOCSPREVNOCHECK = 0x02000000,
35 | EDITF_ENABLERENEWONBEHALFOF = 0x04000000
36 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/GeneralFlag.cs:
--------------------------------------------------------------------------------
1 | namespace TameMyCerts.Enums;
2 |
3 | ///
4 | /// General flags from CertCa.h
5 | ///
6 | internal enum GeneralFlag : uint
7 | {
8 | ///
9 | /// This is a machine cert type
10 | ///
11 | CT_FLAG_MACHINE_TYPE = 0x00000040,
12 |
13 | ///
14 | /// This is a CA cert type
15 | ///
16 | CT_FLAG_IS_CA = 0x00000080,
17 |
18 | ///
19 | /// This is a cross CA cert type
20 | ///
21 | CT_FLAG_IS_CROSS_CA = 0x00000800,
22 |
23 | ///
24 | /// Tells the CA that this certificate should not be persisted in // the database if the CA is configured to do so.
25 | ///
26 | CT_FLAG_DONOTPERSISTINDB = 0x00001000,
27 |
28 | ///
29 | /// The type is a default cert type (cannot be set). This flag will be set on all V1 templates. The templates can not
30 | /// be edited or deleted.
31 | ///
32 | CT_FLAG_IS_DEFAULT = 0x00010000,
33 |
34 | ///
35 | /// The type has been modified, if it is default (cannot be set)
36 | ///
37 | CT_FLAG_IS_MODIFIED = 0x00020000,
38 |
39 | ///
40 | /// settable flags for general flags
41 | ///
42 | CT_MASK_SETTABLE_FLAGS = 0x0000ffff
43 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/KeyAlgorithmFamily.cs:
--------------------------------------------------------------------------------
1 | namespace TameMyCerts.Enums;
2 |
3 | public enum KeyAlgorithmFamily
4 | {
5 | UNKNOWN = 0,
6 | RSA = 1,
7 | DSA = 2,
8 | ECC = 3
9 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/KeyAlgorithmType.cs:
--------------------------------------------------------------------------------
1 | namespace TameMyCerts.Enums;
2 |
3 | ///
4 | /// Public key algorithm types supported by the Microsoft certification authority.
5 | ///
6 | internal enum KeyAlgorithmType
7 | {
8 | ///
9 | /// The RSA algorithm.
10 | ///
11 | RSA = 1,
12 |
13 | ///
14 | /// The DSA algorithm.
15 | ///
16 | DSA = 2,
17 |
18 | ///
19 | /// The elliptic curve digital signature algorithm using the nistp256 curve.
20 | ///
21 | ECDSA_P256 = 3,
22 |
23 | ///
24 | /// The elliptic curve digital signature algorithm using the nistp384 curve.
25 | ///
26 | ECDSA_P384 = 4,
27 |
28 | ///
29 | /// The elliptic curve digital signature algorithm using the nistp521 curve.
30 | ///
31 | ECDSA_P521 = 5,
32 |
33 | ///
34 | /// The elliptic curve diffie hellman algorithm using the nistp256 curve.
35 | ///
36 | ECDH_P256 = 6,
37 |
38 | ///
39 | /// The elliptic curve diffie hellman algorithm using the nistp384 curve.
40 | ///
41 | ECDH_P384 = 7,
42 |
43 | ///
44 | /// The elliptic curve diffie hellman algorithm using the nistp521 curve.
45 | ///
46 | ECDH_P521 = 8
47 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/OleAut32.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace TameMyCerts.Enums;
5 |
6 | // Kudos to Vadims Podans for his research and support!
7 | internal class OleAut32
8 | {
9 | [DllImport("OleAut32.dll", SetLastError = true)]
10 | public static extern int VariantClear(IntPtr pvarg);
11 |
12 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
13 | public struct VARIANT
14 | {
15 | public short vt;
16 | public short wReserved1;
17 | public short wReserved2;
18 | public short wReserved3;
19 | public IntPtr pvRecord;
20 | }
21 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/PatternType.cs:
--------------------------------------------------------------------------------
1 | using System.Xml.Serialization;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | public enum PatternType
6 | {
7 | [XmlEnum(Name = "RegExIgnoreCase")]
8 | REGEX_IGNORE_CASE,
9 |
10 | [XmlEnum(Name = "RegEx")]
11 | REGEX,
12 |
13 | [XmlEnum(Name = "Cidr")]
14 | CIDR,
15 |
16 | [XmlEnum(Name = "ExactMatchIgnoreCase")]
17 | EXACT_MATCH_IGNORE_CASE,
18 |
19 | [XmlEnum(Name = "ExactMatch")]
20 | EXACT_MATCH
21 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/PolicyAction.cs:
--------------------------------------------------------------------------------
1 | using System.Xml.Serialization;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | public enum PolicyAction
6 | {
7 | [XmlEnum(Name = "Allow")]
8 | ALLOW,
9 |
10 | [XmlEnum(Name = "Deny")]
11 | DENY,
12 |
13 | [XmlEnum(Name = "Add")]
14 | ADD_TO_ISSUED_CERTIFICATE,
15 |
16 | [XmlEnum(Name = "Remove")]
17 | REMOVE_FROM_ISSUED_CERTIFICATE
18 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/TmcFlag.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | ///
6 | /// Flags that control global behavior of TameMyCerts.
7 | ///
8 | [Flags]
9 | public enum TmcFlag : uint
10 | {
11 | ///
12 | /// Defaults to denying certificate requests if there is no policy defined for the certificate template.
13 | ///
14 | TMC_DENY_IF_NO_POLICY = 0x1,
15 |
16 | ///
17 | /// Does not deny certificate requests if EDITF_ATTRIBUTESUBJECTALTNAME2 is abused. Use with caution.
18 | ///
19 | TMC_WARN_ONLY_ON_INSECURE_FLAGS = 0x2,
20 |
21 | ///
22 | /// Causes Directory Service Validator to not perform nested group searching, which may come at the cost of additional load
23 | /// on Domain Controllers. Also, all Domain Controllers must be Windows Server 2016 or newer for revolving of nested group memberships to work.
24 | ///
25 | TMC_DONT_RESOLVE_NESTED_GROUP_MEMBERSHIPS = 0x4
26 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/UserAccountControl.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | [Flags]
6 | internal enum UserAccountControl
7 | {
8 | SCRIPT = 0x0001,
9 | ACCOUNTDISABLE = 0x0002,
10 | HOMEDIR_REQUIRED = 0x0008,
11 | LOCKOUT = 0x0010,
12 | PASSWD_NOTREQD = 0x0020,
13 | PASSWD_CANT_CHANGE = 0x0040,
14 | ENCRYPTED_TEXT_PWD_ALLOWED = 0x0080,
15 | TEMP_DUPLICATE_ACCOUNT = 0x0100,
16 | NORMAL_ACCOUNT = 0x0200,
17 | INTERDOMAIN_TRUST_ACCOUNT = 0x0800,
18 | WORKSTATION_TRUST_ACCOUNT = 0x1000,
19 | SERVER_TRUST_ACCOUNT = 0x2000,
20 | DONT_EXPIRE_PASSWORD = 0x10000,
21 | MNS_LOGON_ACCOUNT = 0x20000,
22 | SMARTCARD_REQUIRED = 0x40000,
23 | TRUSTED_FOR_DELEGATION = 0x80000,
24 | NOT_DELEGATED = 0x100000,
25 | USE_DES_KEY_ONLY = 0x200000,
26 | DONT_REQ_PREAUTH = 0x400000,
27 | PASSWORD_EXPIRED = 0x800000,
28 | TRUSTED_TO_AUTH_FOR_DELEGATION = 0x1000000,
29 | PARTIAL_SECRETS_ACCOUNT = 0x04000000
30 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/WinCrypt.cs:
--------------------------------------------------------------------------------
1 | namespace TameMyCerts.Enums;
2 |
3 | ///
4 | /// Constants from WinCrypt.h
5 | ///
6 | internal static class WinCrypt
7 | {
8 | public const string szOID_RSA_RSA = "1.2.840.113549.1.1.1";
9 | public const string szOID_X957_DSA = "1.2.840.10040.4.1";
10 | public const string szOID_ECC_PUBLIC_KEY = "1.2.840.10045.2.1";
11 | public const string szOID_REQUEST_CLIENT_INFO = "1.3.6.1.4.1.311.21.20";
12 | public const string szOID_NTDS_OBJECTSID = "1.3.6.1.4.1.311.25.2.1";
13 | public const string szOID_NTDS_CA_SECURITY_EXT = "1.3.6.1.4.1.311.25.2";
14 | public const string szOID_SUBJECT_ALT_NAME2 = "2.5.29.17";
15 | public const string szOID_CRL_DIST_POINTS = "2.5.29.31";
16 | public const string szOID_AUTHORITY_INFO_ACCESS = "1.3.6.1.5.5.7.1.1";
17 | public const string szOID_PKIX_OCSP = "1.3.6.1.5.5.7.48.1";
18 | public const string szOID_PKIX_CA_ISSUERS = "1.3.6.1.5.5.7.48.2";
19 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/YubikeyEdition.cs:
--------------------------------------------------------------------------------
1 | using System.Xml.Serialization;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | public enum YubikeyEdition
6 | {
7 | [XmlEnum(Name = "Normal")]
8 | NORMAL,
9 |
10 | [XmlEnum(Name = "FIPS")]
11 | FIPS,
12 |
13 | [XmlEnum(Name = "CSPN")]
14 | CSPN
15 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/YubikeyFormFactor.cs:
--------------------------------------------------------------------------------
1 | using System.Xml.Serialization;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | public enum YubikeyFormFactor
6 | {
7 | [XmlEnum(Name = "Unknown")]
8 | UNKNOWN = 0,
9 |
10 | [XmlEnum(Name = "UsbAKeychain")]
11 | USB_A_KEYCHAIN = 1,
12 |
13 | [XmlEnum(Name = "UsbANano")]
14 | USB_A_NANO = 2,
15 |
16 | [XmlEnum(Name = "UsbCKeychain")]
17 | USB_C_KEYCHAIN = 3,
18 |
19 | [XmlEnum(Name = "UsbCNano")]
20 | USB_C_NANO = 4,
21 |
22 | [XmlEnum(Name = "UsbCLightning")]
23 | USB_C_LIGHTNING = 5,
24 |
25 | [XmlEnum(Name = "UsbABiometricKeychain")]
26 | USB_A_BIOMETRIC_KEYCHAIN = 6,
27 |
28 | [XmlEnum(Name = "UsbCBiometricKeychain")]
29 | USB_C_BIOMETRIC_KEYCHAIN = 7
30 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/YubikeyPinPolicy.cs:
--------------------------------------------------------------------------------
1 | using System.Xml.Serialization;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | public enum YubikeyPinPolicy
6 | {
7 | [XmlEnum(Name = "None")]
8 | NONE = 0,
9 |
10 | [XmlEnum(Name = "Never")]
11 | NEVER = 1,
12 |
13 | [XmlEnum(Name = "Once")]
14 | ONCE = 2,
15 |
16 | [XmlEnum(Name = "Always")]
17 | ALWAYS = 3,
18 |
19 | [XmlEnum(Name = "MatchOnce")]
20 | MATCH_ONCE = 4,
21 |
22 | [XmlEnum(Name = "MatchAlways")]
23 | MATCH_ALWAYS = 5,
24 |
25 | [XmlEnum(Name = "Default")]
26 | DEFAULT = 32
27 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/YubikeyTouchPolicy.cs:
--------------------------------------------------------------------------------
1 | using System.Xml.Serialization;
2 |
3 | namespace TameMyCerts.Enums;
4 |
5 | public enum YubikeyTouchPolicy
6 | {
7 | [XmlEnum(Name = "None")]
8 | NONE = 0,
9 |
10 | [XmlEnum(Name = "Never")]
11 | NEVER = 1,
12 |
13 | [XmlEnum(Name = "Always")]
14 | ALWAYS = 2,
15 |
16 | [XmlEnum(Name = "Cached")]
17 | CACHED = 3,
18 |
19 | [XmlEnum(Name = "Default")]
20 | DEFAULT = 32
21 | }
--------------------------------------------------------------------------------
/TameMyCerts/Enums/YubikeyX509Extension.cs:
--------------------------------------------------------------------------------
1 | namespace TameMyCerts.Enums;
2 |
3 | ///
4 | /// Constants from Yubico
5 | /// https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
6 | ///
7 | internal static class YubikeyX509Extension
8 | {
9 | public const string FIRMWARE = "1.3.6.1.4.1.41482.3.3";
10 | public const string SERIALNUMBER = "1.3.6.1.4.1.41482.3.7";
11 | public const string PIN_TOUCH_POLICY = "1.3.6.1.4.1.41482.3.8";
12 | public const string FORMFACTOR = "1.3.6.1.4.1.41482.3.9";
13 | public const string FIPS_CERTIFIED = "1.3.6.1.4.1.41482.3.10";
14 | public const string CPSN_CERTIFIED = "1.3.6.1.4.1.41482.3.11";
15 | public const string ATTESTATION_INTERMEDIATE = "1.3.6.1.4.1.41482.3.2";
16 | public const string ATTESTATION_DEVICE = "1.3.6.1.4.1.41482.3.1";
17 | public const string ATTESTATION_DEVICE_PIVTOOL = "1.3.6.1.4.1.41482.3.11";
18 | }
--------------------------------------------------------------------------------
/TameMyCerts/Models/CustomCertificateExtension.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2021-2025 Uwe Gradenegger
2 |
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 |
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Xml.Serialization;
16 |
17 | namespace TameMyCerts.Models;
18 |
19 | public class CustomCertificateExtension
20 | {
21 | [XmlElement(ElementName = "Oid")] public string Oid { get; set; }
22 |
23 | [XmlElement(ElementName = "Value")] public string Value { get; set; }
24 | }
--------------------------------------------------------------------------------
/TameMyCerts/Models/DirectoryObjectRule.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2021-2025 Uwe Gradenegger
2 |
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 |
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Collections.Generic;
16 | using System.Xml.Serialization;
17 |
18 | namespace TameMyCerts.Models;
19 |
20 | // Must be public due to XML serialization, otherwise 0x80131509 / System.InvalidOperationException
21 | [XmlRoot(ElementName = "DirectoryObjectRule")]
22 | public class DirectoryObjectRule
23 | {
24 | [XmlElement(ElementName = "DirectoryServicesAttribute")]
25 | public string DirectoryServicesAttribute { get; set; } = "sAMAccountName";
26 |
27 | [XmlElement(ElementName = "Mandatory")]
28 | public bool Mandatory { get; set; }
29 |
30 | [XmlArray(ElementName = "Patterns")] public List Patterns { get; set; } = new();
31 | }
--------------------------------------------------------------------------------
/TameMyCerts/Models/Event.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2021-2025 Uwe Gradenegger
2 |
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 |
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Diagnostics;
16 | using TameMyCerts.Enums;
17 |
18 | namespace TameMyCerts.Models;
19 |
20 | internal class Event
21 | {
22 | public int Id { get; set; }
23 | public int LogLevel { get; set; } = CertSrv.CERTLOG_WARNING;
24 | public EventLogEntryType Type { get; set; } = EventLogEntryType.Information;
25 | public string MessageText { get; set; }
26 | }
--------------------------------------------------------------------------------
/TameMyCerts/Models/OutboundSubjectRule.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2021-2025 Uwe Gradenegger
2 |
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 |
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Xml.Serialization;
16 |
17 | namespace TameMyCerts.Models;
18 |
19 | // Must be public due to XML serialization, otherwise 0x80131509 / System.InvalidOperationException
20 | [XmlRoot(ElementName = "OutboundSubjectRule")]
21 | public class OutboundSubjectRule
22 | {
23 | [XmlElement(ElementName = "Field")] public string Field { get; set; } = string.Empty;
24 |
25 | [XmlElement(ElementName = "Value")] public string Value { get; set; } = string.Empty;
26 |
27 | [XmlElement(ElementName = "Mandatory")]
28 | public bool Mandatory { get; set; }
29 |
30 | [XmlElement(ElementName = "Force")] public bool Force { get; set; }
31 | }
--------------------------------------------------------------------------------
/TameMyCerts/Models/SanTypes.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2021-2025 Uwe Gradenegger
2 |
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 |
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | using System.Collections.Generic;
16 |
17 | namespace TameMyCerts.Models;
18 |
19 | internal static class SanTypes
20 | {
21 | public const string DnsName = "dNSName";
22 | public const string Rfc822Name = "rfc822Name";
23 | public const string UniformResourceIdentifier = "uniformResourceIdentifier";
24 | public const string UserPrincipalName = "userPrincipalName";
25 | public const string IpAddress = "iPAddress";
26 |
27 | public static List ToList()
28 | {
29 | return
30 | [
31 | DnsName,
32 | IpAddress,
33 | Rfc822Name,
34 | UniformResourceIdentifier,
35 | UserPrincipalName
36 | ];
37 | }
38 | }
--------------------------------------------------------------------------------
/TameMyCerts/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | [assembly: AssemblyTitle("TameMyCerts")]
6 | [assembly: AssemblyDescription("A policy module that allows applying advanced rules to certificate requests.")]
7 | [assembly: AssemblyConfiguration("")]
8 | [assembly: AssemblyCompany("")]
9 | [assembly: AssemblyProduct("TameMyCerts")]
10 | [assembly: AssemblyCopyright("Copyright © Uwe Gradenegger")]
11 |
12 | [assembly: AssemblyTrademark("")]
13 | [assembly: AssemblyCulture("")]
14 |
15 | // Setting ComVisible to false makes the types in this assembly not visible
16 | // to COM components. If you need to access a type in this assembly from
17 | // COM, set the ComVisible attribute to true on that type.
18 | [assembly: ComVisible(false)]
19 |
20 | // The following GUID is for the ID of the typelib if this project is exposed to COM
21 | [assembly: Guid("bb35a67e-8e22-48c3-b3f8-e852161acb59")]
22 |
23 | [assembly: InternalsVisibleTo("TameMyCerts.Tests")]
--------------------------------------------------------------------------------
/TameMyCerts/X509/X509CertificateExtension.cs:
--------------------------------------------------------------------------------
1 | // Copyright 2021-2025 Uwe Gradenegger
2 |
3 | // Licensed under the Apache License, Version 2.0 (the "License");
4 | // you may not use this file except in compliance with the License.
5 | // You may obtain a copy of the License at
6 |
7 | // http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | // Unless required by applicable law or agreed to in writing, software
10 | // distributed under the License is distributed on an "AS IS" BASIS,
11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | // See the License for the specific language governing permissions and
13 | // limitations under the License.
14 |
15 | namespace TameMyCerts.X509;
16 |
17 | public abstract class X509CertificateExtension
18 | {
19 | public byte[] RawData { get; internal set; } = [];
20 |
21 | internal static string EncodeUri(string input)
22 | {
23 | return input.StartsWith("http://") || input.StartsWith("https://") || input.StartsWith("ldap://")
24 | ? input.Replace(" ", "%20")
25 | : input;
26 | }
27 | }
--------------------------------------------------------------------------------
/TameMyCerts/make_debug.cmd:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | rmdir bin\Debug /S /Q
4 | mkdir bin\Debug
5 |
6 | MSBuild.exe TameMyCerts.csproj -property:Configuration=debug
7 |
8 | copy install.ps1 bin\Debug\net8.0-windows
--------------------------------------------------------------------------------
/TameMyCerts/make_il.cmd:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | set PRODUCT=TameMyCerts
4 |
5 | "%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" ^
6 | /DLL %PRODUCT%\CERTCLILIB.il ^
7 | /res:%PRODUCT%\CERTCLILIB.res ^
8 | /out=%PRODUCT%\CERTCLILIB.dll
9 |
10 | "%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" ^
11 | /DLL %PRODUCT%\CERTPOLICYLIB.il ^
12 | /res:%PRODUCT%\CERTPOLICYLIB.res ^
13 | /out=%PRODUCT%\CERTPOLICYLIB.dll
--------------------------------------------------------------------------------
/examples/Sample_Offline_User_NotAfter.xml:
--------------------------------------------------------------------------------
1 |
7 |
9 | 2022-12-31T23:59:59.0000000+01:00
10 |
11 |
12 | userPrincipalName
13 | true
14 | 1
15 | 64
16 |
17 |
18 | ^[a-zA-Z0-9]*\@intra\.tamemycerts\.com$
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/examples/Sample_Online_Computer_DsBoundSan.xml:
--------------------------------------------------------------------------------
1 |
7 |
9 |
10 | dNSName
11 | {ad:dNSHostName}
12 | computer
13 |
14 |
15 |
16 | dNSName
17 | {ad:extensionAttribute1}
18 | true
19 | true
20 |
21 |
22 |
--------------------------------------------------------------------------------
/examples/Sample_Online_Computer_StaticSan.xml:
--------------------------------------------------------------------------------
1 |
5 |
7 |
8 |
9 | rfc822Name
10 | techsupport@tamemycerts.com
11 |
12 |
13 |
--------------------------------------------------------------------------------
/examples/Sample_Online_Computer_SupplementSpns.xml:
--------------------------------------------------------------------------------
1 |
6 |
8 |
9 | dNSName
10 | dNSHostName
11 | computer
12 | true
13 |
14 |
15 | false
16 |
--------------------------------------------------------------------------------
/examples/Sample_Online_User_CDP-AIA-OCSP.xml:
--------------------------------------------------------------------------------
1 |
6 |
8 |
9 |
10 | http://%1/CertData/%3%8%9.crl
11 | ldap:///CN=%7%8,CN=%3,CN=cdp,CN=Public Key Services,CN=Services,%6%10
12 |
13 |
14 |
15 | http://%1/CertData/%3%4.crt
16 | ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
17 |
18 |
19 |
20 | http://ocsp.adcslabor.de/ocsp
21 |
22 |
--------------------------------------------------------------------------------
/examples/Sample_Online_User_NotAfter.xml:
--------------------------------------------------------------------------------
1 |
6 |
8 | 2022-12-31T23:59:59.0000000+01:00
9 |
--------------------------------------------------------------------------------
/examples/Sample_Online_User_StaticSubject.xml:
--------------------------------------------------------------------------------
1 |
5 |
7 |
9 |
10 |
11 | organizationName
12 | Contoso Corp.
13 |
14 |
15 |
--------------------------------------------------------------------------------
/examples/Sample_Online_User_TPM.xml:
--------------------------------------------------------------------------------
1 |
10 |
12 |
13 | taskhostw.exe
14 |
15 |
16 | Microsoft Platform Crypto Provider
17 |
18 |
--------------------------------------------------------------------------------
/examples/Sample_Online_Yubikey_Verification_and_Rewrite.xml:
--------------------------------------------------------------------------------
1 |
8 |
10 |
11 |
12 |
13 |
14 | 5.6.9
15 | ECC
16 | Deny
17 |
18 |
19 |
20 | Always
21 | Once
22 |
23 | Allow
24 |
25 |
26 |
27 |
28 | commonName
29 | {ad:cn} [{yk:Slot} {yk:SerialNumber}]
30 | true
31 | true
32 |
33 |
34 |
--------------------------------------------------------------------------------
/examples/Sample_empty.xml:
--------------------------------------------------------------------------------
1 |
5 |
--------------------------------------------------------------------------------
/user-guide/audit-only-mode.md:
--------------------------------------------------------------------------------
1 | ## Audit only mode {#audit-only-mode}
2 |
3 | > Applies to **online** and **offline** certificate templates.
4 |
5 | TameMyCerts supports an Audit-only mode, in which certificate requests get allowed regardless of the verification result. This helps by sharpending policies before applying them to existing deployments. If a certificate request would be denied in regular mode, TameMyCerts will [log this to the event log](#logs) of the certification authority to allow administrators further research.
6 |
7 | > Also refer to the [How it works](#how-it-works) section to get an understanding of the verification flow.
8 |
9 | 
10 |
11 | ### Configuring
12 |
13 | You enable Audit only mode by configuring the `AuditOnly` directive.
14 |
15 | ```xml
16 | true
17 | ```
18 |
--------------------------------------------------------------------------------
/user-guide/deny-insecure-flags.md:
--------------------------------------------------------------------------------
1 | ## Denying certificate requests for insecure combinations {#deny-insecure-flags}
2 |
3 | > Applies to **online** and **offline** certificate templates.
4 |
5 | TameMyCerts will automatically deny certificate requests when they contain a "san" request attribute and the certification authority has the insecure EDITF\_ATTRIBUTESUBJECTALTNAME2 () flag set. This combination can allow an attacker to request certificates with arbitrary identities, resulting in a complete takeover of your Active Directory.
6 |
7 | > This behavior can be altered by configuring [Global settings](#global-settings) for the policy module. However, it is stongly advised not to do so.
8 |
9 | Instead of using the "san" request attribute in combination with `EDITF_ATTRIBUTESUBJECTALTNAME2`, you should ensure that certificate request already contain a Subject Alternative Name (SAN) extension. In case where this is not possible, the [Supplementing DNS Names and IP Addresses](#supplement-dns-names) feature can be used.
10 |
11 | > Note that TameMyCerts [will log the presence of the "san" request attribute](#event-id-14) whether the flag is enabled or not.
12 |
--------------------------------------------------------------------------------
/user-guide/empty-identities.md:
--------------------------------------------------------------------------------
1 | ## Permitting empty identities {#empty-identities}
2 |
3 | > Applies to **online** and **offline** certificate templates.
4 |
5 | For any certificate template that has a policy configuration defined, TameMyCerts will ensure that the resulting certificate will contain an identity, either in the Subject Distinguished Name or the Subject Alternative Name. If the resulting certificate would not contain an identity, the certificate request will get denied and an event will be [logged](#logs).
6 |
7 | Should you have the requirement to issue such certificates regardless of not containing an identity, you may change the behavior with the `PermitEmptyIdentites` directive:
8 |
9 | ```xml
10 | true
11 | ```
12 |
--------------------------------------------------------------------------------
/user-guide/event-id-1.md:
--------------------------------------------------------------------------------
1 | ## Event ID 1 {#event-id-1}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Information
6 | - Required certification authority LogLevel: 4 (`CERTLOG_VERBOSE`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | {0} policy module version {1} is ready to process incoming certificate requests.
12 | ```
13 |
14 | - Placeholder `{0}` will contain the policy module name.
15 | - Placeholder `{0}` will contain the policy module version.
16 |
17 | ### Event Description
18 |
19 | Occurs if the Windows Default policy was successfully loaded and TameMyCerts is ready to process incoming requests.
20 |
21 | 
22 |
--------------------------------------------------------------------------------
/user-guide/event-id-10.md:
--------------------------------------------------------------------------------
1 | ## Event ID 10 {#event-id-10}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Error
6 | - Required certification authority LogLevel: 2 (`CERTLOG_ERROR`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Request {0} will get denied. Unable to interpret policy for {1} because:
12 | {2}
13 | ```
14 |
15 | ```
16 | No certificate template information for request {0} could be retrieved from the certification authority service. The request will get denied.
17 | ```
18 |
19 | ```
20 | No certificate template information for request {0} could be retrieved from the local certificate template cache. The request will get denied.
21 | ```
22 |
23 | - Placeholder `{0}` will contain the Request ID number.
24 | - Placeholder `{1}` will contain the certificate template name.
25 | - Placeholder `{2}` will contain any additional error messages.
26 |
27 | ### Event Description
28 |
29 | Occurs if a certificate request was denied because because the policy file for the certificate template could not be interpreted.
30 |
--------------------------------------------------------------------------------
/user-guide/event-id-11.md:
--------------------------------------------------------------------------------
1 | ## Event ID 11 {#event-id-11}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Information
6 | - Required certification authority LogLevel: 4 (`CERTLOG_VERBOSE`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Request {0} was denied by the Windows Default policy module.
12 | ```
13 |
14 | - Placeholder `{0}` will contain the Request ID number.
15 |
16 | ### Event Description
17 |
18 | Occurs if the Windows Default policy module denied a certificate request, thus the additional logic of TameMyCerts was not triggered at all for the given request. As this is a normal occurrence during PKI operations, this event is just informational.
19 |
--------------------------------------------------------------------------------
/user-guide/event-id-12.md:
--------------------------------------------------------------------------------
1 | ## Event ID 12 {#event-id-12}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Information
6 | - Required certification authority LogLevel: 4 (`CERTLOG_VERBOSE`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Request {0} for {1} will get issued.
12 | ```
13 |
14 | - Placeholder `{0}` will contain the Request ID number.
15 | - Placeholder `{1}` will contain the certificate template name.
16 |
17 | ### Event Description
18 |
19 | This is an informational event containing the request ID and the certificate template name in case TameMyCerts decides that the certificate request shall get issued.
20 |
--------------------------------------------------------------------------------
/user-guide/event-id-13.md:
--------------------------------------------------------------------------------
1 | ## Event ID 13 {#event-id-13}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Information
6 | - Required certification authority LogLevel: 4 (`CERTLOG_VERBOSE`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Request {0} for {1} will be put into pending state.
12 | ```
13 |
14 | - Placeholder `{0}` will contain the Request ID number.
15 | - Placeholder `{1}` will contain the certificate template name.
16 |
17 | ### Event Description
18 |
19 | This is an informational event containing the request ID and the certificate template name in case TameMyCerts decides that the certificate request shall be put into pending state.
20 |
--------------------------------------------------------------------------------
/user-guide/event-id-14.md:
--------------------------------------------------------------------------------
1 | ## Event ID 14 {#event-id-14}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Warning
6 | - Required certification authority LogLevel: 3 (`CERTLOG_WARNING`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | The following warnings have been logged during the processing of request {0} for {1}:
12 | {2}
13 | ```
14 |
15 | - Placeholder `{0}` will contain the Request ID number.
16 | - Placeholder `{1}` will contain the certificate template name.
17 | - Placeholder `{2}` will contain one or more warnings that have been logged during the processing of the certificate request.
18 |
19 | ### Event Description
20 |
21 | This event gets logged if warnings occurred during the processing of the certificate request. This event will get logged regardless if the certificate gets issued or not.
22 |
23 | > Warnings might indicate an abnormal condition. It is therefore recommended to collect these events and trigger an alert in your monitoring solution, if present.
24 |
25 | Currently, TameMyCerts logs warnings in the following cases:
26 |
27 | - A certificate request contains the dangerous "san" request attribute, which might be an indicator of an attempt to attack the certification authority. Refer to section [Denying certificate requests for insecure combinations](#deny-insecure-flags) for more information.
28 |
--------------------------------------------------------------------------------
/user-guide/event-id-2.md:
--------------------------------------------------------------------------------
1 | ## Event ID 2 {#event-id-2}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Error
6 | - Required certification authority LogLevel: 2 (`CERTLOG_ERROR`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Error initializing Windows Default policy module:
12 | {0}
13 | ```
14 |
15 | - Placeholder `{0}` will contain the error message.
16 |
17 | ### Event Description
18 |
19 | Occurs if the Windows Default policy was **not** successfully loaded during CA service startup. **Will cause the CA service to not start.**
20 |
--------------------------------------------------------------------------------
/user-guide/event-id-4.md:
--------------------------------------------------------------------------------
1 | ## Event ID 4 {#event-id-4}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Error
6 | - Required certification authority LogLevel: 2 (`CERTLOG_ERROR`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Shutting down Windows Default policy module failed:
12 | {0}
13 | ```
14 |
15 | - Placeholder `{0}` will contain the error message.
16 |
17 | ### Event Description
18 |
19 | Occurs if the Windows Default policy was **not** successfully unloaded during CA service shutdown.
20 |
--------------------------------------------------------------------------------
/user-guide/event-id-5.md:
--------------------------------------------------------------------------------
1 | ## Event ID 5 {#event-id-5}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Warning
6 | - Required certification authority LogLevel: 0 (`CERTLOG_MINIMAL`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Audit mode is enabled for {1}. Request {0} would get denied because:
12 | {2}
13 | ```
14 |
15 | - Placeholder `{0}` will contain the Request ID number.
16 | - Placeholder `{1}` will contain the certificate template name.
17 | - Placeholder `{2}` will contain one or more reasons why the certificate request would get denied.
18 |
19 | ### Event Description
20 |
21 | Occurs if [Audit only mode](#audit-only-mode) is enabled for a certificate template and a certificate request would get denied because of a policy violation. Contains a detailed information which kind of policy violation caused the request to get denied.
22 |
--------------------------------------------------------------------------------
/user-guide/event-id-6.md:
--------------------------------------------------------------------------------
1 | ## Event ID 6 {#event-id-6}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Warning
6 | - Required certification authority LogLevel: 3 (`CERTLOG_WARNING`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Request {0} for {1} was denied because:
12 | {2}
13 | ```
14 |
15 | - Placeholder `{0}` will contain the Request ID number.
16 | - Placeholder `{1}` will contain the certificate template name.
17 | - Placeholder `{2}` will contain one or more reasons why the certificate request was denied.
18 |
19 | 
20 |
21 | ### Event Description
22 |
23 | Occurs if a certificate request was denied because of a policy violation. The event description contains detailed information which kind of policy violation caused the request to get denied.
24 |
25 | Note that TameMyCerts can also detect abuse of [insecure flags](#deny-insecure-flags) set on the certification authority, which can help prevent [compromise](#uc-esc6) of the Active Directory environment. Occurrences are logged under this event ID.
26 |
--------------------------------------------------------------------------------
/user-guide/event-id-7.md:
--------------------------------------------------------------------------------
1 | ## Event ID 7 {#event-id-7}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Warning
6 | - Required certification authority LogLevel: 4 (`CERTLOG_VERBOSE`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Unable to find policy file for {0}. Request {1} will get issued.
12 | ```
13 |
14 | - Placeholder `{0}` will contain the certificate template name.
15 | - Placeholder `{1}` will contain the Request ID number.
16 |
17 | ### Event Description
18 |
19 | Occurs if there is no policy configuration file defined for the certificate template used certificate request. The certificate request gets allowed in this case.
20 |
--------------------------------------------------------------------------------
/user-guide/event-id-8.md:
--------------------------------------------------------------------------------
1 | ## Event ID 8 {#event-id-8}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Warning
6 | - Required certification authority LogLevel: 3 (`CERTLOG_WARNING`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | Unable to find policy file for {0}. Request {1} will get denied.
12 | ```
13 |
14 | - Placeholder `{0}` will contain the certificate template name.
15 | - Placeholder `{1}` will contain the Request ID number.
16 |
17 | ### Event Description
18 |
19 | Occurs if there is no policy configuration file defined for the certificate template used certificate request, and TameMyCerts global flags are configured to deny certificate requests when there is no policy defined. The certificate request gets denied in this case.
20 |
--------------------------------------------------------------------------------
/user-guide/event-id-9.md:
--------------------------------------------------------------------------------
1 | ## Event ID 9 {#event-id-9}
2 |
3 | - Event Log: Application
4 | - Event Source: TameMyCerts
5 | - Event Type: Error
6 | - Required certification authority LogLevel: 2 (`CERTLOG_ERROR`)
7 |
8 | ### Event Sample
9 |
10 | ```
11 | The {0} policy module currently does not support standalone certification authorities.
12 | ```
13 |
14 | - Placeholder `{0}` will contain the policy module name.
15 |
16 | ### Event Description
17 |
18 | Occurs it the TameMyCerts policy module is loaded on a standalone certification authority, which is unsupported at the moment. **Will cause the CA service to not start.**
19 |
--------------------------------------------------------------------------------
/user-guide/header-appendix.md:
--------------------------------------------------------------------------------
1 | # Appendix {#appendix}
2 |
--------------------------------------------------------------------------------
/user-guide/header-use-cases.md:
--------------------------------------------------------------------------------
1 | ## Typical use cases for the TameMyCerts policy module {#use-cases}
2 |
--------------------------------------------------------------------------------
/user-guide/logs.md:
--------------------------------------------------------------------------------
1 | # Logs generated by the TameMyCerts policy module {#logs}
2 |
3 | In addition to the certification authorities regular log entries, the policy module will also write a detailed log entry if a certificate request was denied due to a policy violation or failure. Find the logs under the _Application_ event log with the `TameMyCerts` Event Source.
4 |
5 | 
6 |
7 | Logging for the policy module follows the `LogLevel` () concept of the certification authority. Increasing the value for the certification authority also affects the logging amount of TameMyCerts.
8 |
9 | ```batch
10 | certutil -setreg CA\Loglevel {LogLevel}
11 | net stop certsvc
12 | net start certsvc
13 | ```
14 |
15 | |Log Level|Description|
16 | |---|---|
17 | |0|`CERTLOG_MINIMAL`|
18 | |1|`CERTLOG_TERSE`|
19 | |2|`CERTLOG_ERROR`|
20 | |3|`CERTLOG_WARNING` (Default Setting)|
21 | |4|`CERTLOG_VERBOSE`|
22 | |5|`CERTLOG_EXHAUSTIVE`|
23 |
--------------------------------------------------------------------------------
/user-guide/pattern.md:
--------------------------------------------------------------------------------
1 | ## Description of the "Pattern" directive {#pattern}
2 |
3 | The `Pattern` parameter is defined as follows:
4 |
5 | |Parameter|Mandatory|Description|
6 | |---|---|---|
7 | |`Expression`|**yes**|Specifies the expression the field gets matched against.|
8 | |`TreatAs`|no|Specifies how the expression is to be interpreted by TameMyCerts. Defaults to `RegEx`.|
9 | |`Action`|no|Specifies if a match for the pattern will `Allow` the certificate to get issued (the default) or `Deny` the certificate request.|
10 |
11 | The `TreatAs` directive can be configured to one of the following values:
12 |
13 | |Value|Description|
14 | |---|---|
15 | |`RegEx`|Treat the value to be analyzed as a **case sensitive** regular expression (the default).|
16 | |`RegExIgnoreCase`|Treat the value to be analyzed as a **case insensitive** regular expression.|
17 | |`Cidr`|Treat the value to be analyzed as an IP address that must be within an IPv4 or IPv6 subnet in CIDR notation, e.g. `192.168.0.0/16`.|
18 | |`ExactMatch`|The value to be analyzed must exactly match the configured expression (**case sensitive**).|
19 | |`ExactMatchIgnoreCase`|The value to be analyzed must exactly match the configured expression (**case insensitive**).|
20 |
--------------------------------------------------------------------------------
/user-guide/prerequisites.md:
--------------------------------------------------------------------------------
1 | # Prerequisites {#prerequisites}
2 |
3 | TameMyCerts is intended to be installed on a server with the Certification Authority role installed.
4 |
5 | ## Supported certification authority modes
6 |
7 | The following modes for the certification authority role are supported by TameMyCerts:
8 |
9 | |CA mode|Support status|
10 | |---|---|
11 | |Enterprise Root|supported|
12 | |Enterprise Issuing|supported|
13 | |Standalone Root|**not** supported|
14 | |Standalone Issuing|**not** supported|
15 |
16 | ## Supported operating systems
17 |
18 | The module was successfully tested and is supported with the following operating systems:
19 |
20 | - Microsoft Windows Server 2025
21 | - Microsoft Windows Server 2022
22 | - Microsoft Windows Server 2019
23 | - Microsoft Windows Server 2016
24 |
25 | Other Microsoft Windows Server operating systems may work but are not supported.
26 |
27 | ## Software prerequisites
28 |
29 | TameMyCerts requires the .NET Desktop Runtime 8.0 ().
30 |
--------------------------------------------------------------------------------
/user-guide/resources/Swiss-Cheese-Model.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/Swiss-Cheese-Model.png
--------------------------------------------------------------------------------
/user-guide/resources/active-module.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/active-module.png
--------------------------------------------------------------------------------
/user-guide/resources/approval-flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/approval-flow.png
--------------------------------------------------------------------------------
/user-guide/resources/audit-only-mode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/audit-only-mode.png
--------------------------------------------------------------------------------
/user-guide/resources/certapi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/certapi.png
--------------------------------------------------------------------------------
/user-guide/resources/csp-rules1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/csp-rules1.png
--------------------------------------------------------------------------------
/user-guide/resources/csp-rules2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/csp-rules2.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-disabled-account.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-disabled-account.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-fields-missing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-fields-missing.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-forbidden-group.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-forbidden-group.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-nonexisting-user.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-nonexisting-user.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-not-member.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-not-member.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-sid-extension.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-sid-extension.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-syntax-blacklist.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-syntax-blacklist.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-syntax-violation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-syntax-violation.png
--------------------------------------------------------------------------------
/user-guide/resources/deny-wrong-ou.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/deny-wrong-ou.png
--------------------------------------------------------------------------------
/user-guide/resources/digital-signature.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/digital-signature.png
--------------------------------------------------------------------------------
/user-guide/resources/event-viewer.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/event-viewer.png
--------------------------------------------------------------------------------
/user-guide/resources/expiration-passed.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/expiration-passed.png
--------------------------------------------------------------------------------
/user-guide/resources/install.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/install.png
--------------------------------------------------------------------------------
/user-guide/resources/key-rules.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/key-rules.png
--------------------------------------------------------------------------------
/user-guide/resources/offline-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/offline-template.png
--------------------------------------------------------------------------------
/user-guide/resources/online-template.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/online-template.png
--------------------------------------------------------------------------------
/user-guide/resources/policydirectory.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/policydirectory.png
--------------------------------------------------------------------------------
/user-guide/resources/prevent-esc6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/prevent-esc6.png
--------------------------------------------------------------------------------
/user-guide/resources/process-rules1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/process-rules1.png
--------------------------------------------------------------------------------
/user-guide/resources/process-rules2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/process-rules2.png
--------------------------------------------------------------------------------
/user-guide/resources/process-rules3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/process-rules3.png
--------------------------------------------------------------------------------
/user-guide/resources/sample-event.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/sample-event.png
--------------------------------------------------------------------------------
/user-guide/resources/subject-from-ad.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/subject-from-ad.png
--------------------------------------------------------------------------------
/user-guide/resources/supplement-dnsnames.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/supplement-dnsnames.png
--------------------------------------------------------------------------------
/user-guide/resources/supplement-spns.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/supplement-spns.png
--------------------------------------------------------------------------------
/user-guide/resources/template-name-ps.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/template-name-ps.png
--------------------------------------------------------------------------------
/user-guide/resources/template-name.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/template-name.png
--------------------------------------------------------------------------------
/user-guide/resources/undefined-rdn.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/undefined-rdn.png
--------------------------------------------------------------------------------
/user-guide/resources/uninstall.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/uninstall.png
--------------------------------------------------------------------------------
/user-guide/resources/ykca-store.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/ykca-store.png
--------------------------------------------------------------------------------
/user-guide/resources/ykroot-store.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Sleepw4lker/TameMyCerts/ed0cfc3b1194ee14ac0a856f620adbe915e606e3/user-guide/resources/ykroot-store.png
--------------------------------------------------------------------------------
/user-guide/tech-reference.md:
--------------------------------------------------------------------------------
1 | # Technical Reference {#tech-reference}
2 |
--------------------------------------------------------------------------------
/user-guide/uc-subjectdn.md:
--------------------------------------------------------------------------------
1 | ### How TameMyCerts can help establish digital signature processes in the enterprise {#uc-subjectdn}
2 |
3 | Many enterprises nowadays want to establish paperless processes to ease and speed up internal approval and signature processes. This has become even more important in the times of employees predominantly working remotely. Whilst Microsoft AD CS is capable of automating certificate issuance processes, its possibilities to influence the certificate content are limited.
4 |
5 | TameMyCerts allows to define advanced rules to build the Subject Distinguished names or Subject Alternative Names with either statically defined values, or by pulling the necessary data from Active Directory. This drastically extends the possibilities of certificate Autoenrollment in the Windows ecosystem.
6 |
7 | 
8 |
9 | For example, you could populate a certificates Common Name with the _displayName_ Active Directory attribute and set a static value for the _organizationName_ field as well.
10 |
11 | 
12 |
--------------------------------------------------------------------------------
/user-guide/uninstalling.md:
--------------------------------------------------------------------------------
1 | ## Uninstalling the TameMyCerts policy module {#uninstalling}
2 |
3 | To uninstall the module, run `install.ps1` as Administrator. You must specify the `-Uninstall` parameter.
4 |
5 | > The installation script restarts the certification authority service during installation and uninstallation.
6 |
7 | Example:
8 |
9 | ```powershell
10 | .\install.ps1 -Uninstall
11 | ```
12 |
13 | 
14 |
15 | The script will unregister the module, copy the registry settings back and configure the Windows Default policy module as the active one.
16 |
--------------------------------------------------------------------------------
/user-guide/upgrading.md:
--------------------------------------------------------------------------------
1 | ## Upgrading from a previous version {#upgrading}
2 |
3 | The process of upgrading from a previous version is the same as [installing the module](#installing). Simply proceed as you would install TameMyCerts for the first time.
4 |
5 | Depending on the version you previously used, it may be necessary to adjust your policy configuration files. Refer to the [upgrade instructions](#upgrade-instructions) in the [Technical Reference](#tech-reference) section of the document.
6 |
--------------------------------------------------------------------------------