# # ----------------------------- # TRANSLATIONS DEFINITION # ----------------------------- # data _system_translations { ConvertFrom-StringData @' # fallback text goes here (copy from CertificateServices.psd1 for en-us) # # PreCheck # PreCheck_Title = Active Directory Certificate Services must be running to complete the Best Practice scan PreCheck_Problem = Active Directory Certificate Services must be running to complete the Best Practice scan. PreCheck_Impact = The Active Directory Certificate Services Best Practice scan cannot be completed because Active Directory Certificate Services is not running. PreCheck_Resolution = Use Server Manager to start Active Directory Certificate Services. # # NoneApplicable # NoneApplicable_Title = There are no applicable best practices for the AD CS role services installed on this computer NoneApplicable_Compliant = The Active Directory Certificate Services (AD CS) Best Practices Analyzer does not have any applicable best practices for the AD CS role services that are installed on this computer. # # UserAEPolicySetCheck # UserAEPolicySetCheck_Title = User autoenrollment group policy is not enabled UserAEPolicySetCheck_Problem = This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled. UserAEPolicySetCheck_Impact = An enterprise CA can use autoenrollment to simplify certificate issuance and renewal.  If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected. UserAEPolicySetCheck_Resolution = If user autoenrollment is desired, use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate templates. UserAEPolicySetCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # MachineAEPolicySetCheck # MachineAEPolicySetCheck_Title = Computer autoenrollment group policy is not enabled MachineAEPolicySetCheck_Problem = This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for computer autoenrollment have not been enabled. MachineAEPolicySetCheck_Impact = An enterprise CA can use autoenrollment to simplify certificate issuance and renewal.  If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected. MachineAEPolicySetCheck_Resolution = If computer autoenrollment is desired, use the Group Policy Management Console to configure computer autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate templates. MachineAEPolicySetCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # CRLPeriodInSecondsCheck # CRLPeriodInSecondsCheck_Title = The CRL publication interval for a stand-alone root CA should be at least 30 days CRLPeriodInSecondsCheck_Problem = To enhance security, a root certification authority (CA) should remain offline except when needed to issue or renew a certificate. When a root CA is offline, certificate revocation list (CRL) publication intervals should be extended beyond the default seven-day period. CRLPeriodInSecondsCheck_Impact = An offline or stand-alone CA may not be able to automatically publish updated CRLs.  If updated CRLs are not published to their CRL distribution points, revocation checks on certificates issued by the CA may  fail. CRLPeriodInSecondsCheck_Resolution = Use the Certification Authority snap-in to set the CRL publication interval to 30 days or longer. CRLPeriodInSecondsCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # PolicyModuleCheck # PolicyModuleCheck_Title = When user-defined subject alternate names are permitted, set all certificate requests to pending PolicyModuleCheck_Problem = The policy module for a certification authority (CA) is configured to allow the user to define the subject alternative name  to be included within a certificate. However, it is not configured to set certificate requests to pending, which requires a certificate manager to review and approve each request. PolicyModuleCheck_Impact = When users can define the subject alternate name to be included within a certificate, they can specify an identity other than their own. Unless you require a certificate manager to review and approve each request, there is an increased risk of identity spoofing. PolicyModuleCheck_Resolution = Configure the policy module for the CA to set all certificate requests to pending and require a certificate manager to review and approve each request before a certificate is issued. PolicyModuleCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # CRLURLsCheck # CRLURLsCheck_Title = CRL distribution point locations should be included in the extensions of issued certificates CRLURLsCheck_Problem = This certification authority (CA) is not configured to include certificate revocation list (CRL) distribution point locations in the extensions of issued certificates. The CRL distribution point extension provides the network location of the CRL. CRLURLsCheck_Impact = Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail. CRLURLsCheck_Resolution = Use the Certification Authority snap-in to configure the CRL distribution point extension and specify the network location of the CRL. CRLURLsCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # AIAURLsCheck # AIAURLsCheck_Title = Authority information access locations should be included in the extensions of issued certificates AIAURLsCheck_Problem = This certification authority (CA) is not configured to include authority information access locations in the extensions of issued certificates. The authority information access extension provides the network location of the issuing CA's certificate. AIAURLsCheck_Impact = Clients may not be able to locate the issuing CA's certificate to build a certificate chain, and certificate validation may fail. AIAURLsCheck_Resolution = Use the Certification Authority snap-in to configure the authority information access extension and specify the network location of the issuing CA's certificate. AIAURLsCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # CRLKeySuffixCheck # CRLKeySuffixCheck_Title = CRL distribution point locations should include the CRL name suffix CRLKeySuffixCheck_Problem = The location of the certificate revocation list (CRL) specified in the CRL distribution point extension is not configured to include the CRL name suffix. CRLKeySuffixCheck_Impact = Clients may not be able to locate the correct version of the CRL to check the revocation status of a certificate, and certificate validation may fail. CRLKeySuffixCheck_Resolution = Use the Certification Authority snap-in to configure the CRL distribution point extension to include the CRL name suffix in each location. CRLKeySuffixCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # AIAKeySuffixCheck # AIAKeySuffixCheck_Title = Authority information access locations should include the certificate name suffix AIAKeySuffixCheck_Problem = The location of the certification authority (CA) certificate specified in the authority information access extension is not configured to include the certificate name suffix. AIAKeySuffixCheck_Impact = Clients may not be able to to locate the correct version of the issuing CA's certificate to build a certificate chain, and certificate validation may fail. AIAKeySuffixCheck_Resolution = Use the Certification Authority snap-in to configure the authority information access extension to include the certificate name suffix in each location. AIAKeySuffixCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # CRLLocalWebURLsCheck # CRLLocalWebURLsCheck_Title = Web Server (IIS) role should be installed if CRL distribution point extension URIs refer to the local Web server CRLLocalWebURLsCheck_Problem = The certificate revocation list (CRL) distribution point extension on this certification authority (CA) refers to the local Web server. However, the Web Server (IIS) role is not installed. CRLLocalWebURLsCheck_Impact = Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail. CRLLocalWebURLsCheck_Resolution = Use Server Manager to add the Web Server (IIS) role and add virtual directories to match the HTTP URI included in the CRL distribution point extension. Otherwise, remove the HTTP URI from the extension by using the Certification Authority snap-in. CRLLocalWebURLsCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # AIALocalWebURLsCheck # AIALocalWebURLsCheck_Title = Web Server (IIS) role should be installed if authority information access extension URIs refer to the local Web server AIALocalWebURLsCheck_Problem = The authority information access extension on this certification authority (CA) refers to the local Web server. However, the Web Server (IIS) role is not installed. AIALocalWebURLsCheck_Impact = Clients may not be able to locate the issuing CA's certificate, and certificate validation may fail. AIALocalWebURLsCheck_Resolution = Use Server Manager to add the Web Server (IIS) role and add virtual directories to match the HTTP URI included in the authority information access extension. Otherwise, remove the HTTP URI from the extension by using the Certification Authority snap-in. AIALocalWebURLsCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # DeltaCRLRemoteWebURLsCheck # DeltaCRLRemoteWebURLsCheck_Title = Web server should allow URIs containing a plus sign (+) to enable publishing of delta CRLs DeltaCRLRemoteWebURLsCheck_Problem = The certificate revocation list (CRL) distribution point extension on this certification authority (CA) includes URIs for a remote Web server. If the Web server is Internet Information Services (IIS) 7.0 with the default configuration, then delta CRL URIs that contain a plus sign (+) will be blocked. DeltaCRLRemoteWebURLsCheck_Impact = Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail. DeltaCRLRemoteWebURLsCheck_Resolution = If the Web server that hosts the delta CRL is running IIS 7.0, then ensure that the "Allow double escaping" check box is selected in the IIS Request Filtering settings. DeltaCRLRemoteWebURLsCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # DBFilesOnSystemDriveCheck # DBFilesOnSystemDriveCheck_Title = CA database and log files should not be stored on the system drive DBFilesOnSystemDriveCheck_Problem = This certification authority (CA) is configured to store the certificate database or log files on the system drive. DBFilesOnSystemDriveCheck_Impact = Database and log files can become very large and can possibly consume all available disk space. If these files are located on the system drive, then this can cause the operating system to fail. DBFilesOnSystemDriveCheck_Resolution = Move the certificate database and log files to a non-system drive, and update the CA configuration to indicate the new location. DBFilesOnSystemDriveCheck_Compliant = The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. '@ } Import-LocalizedData -BindingVariable _system_translations -filename CertificateServices.psd1 # # ------------------ # FUNCTIONS - START # ------------------ # # # Function Description: # Creates the Document element for the Xml Document # # Arguments: # $ns - Namespace Name # $name - Name of the document element # # Return Value: # returns the created document element # function Create-DocumentElement( $ns, $name ) { [xml] "<$name xmlns='$ns'/>" } # # Function Description: # # Adds the specified element in the element hierarchy specified # as variable number of arguments # # Arguments: # # $docElem - The Document Element for the XML Document # $tns - Namespace # $elemData - The data value of the element to be added # Variable Args - Specifies the hierarchy of elements # # Return Value: # # None # function AddElementToDocument ( $docElem, $tns, $elemData ) { $numLevels = $args.length $parent = $docElem.DocumentElement # # Iterate over the elements hierarchy specified. For each level # if it doesnt exist, create it. # for ( $i=0; $i -lt $numLevels; $i++ ) { # # current element in hierarchy # $currName = $args[$i] if ( $parent.$currName -eq $null ) { # # Create a new element since it doesnt exist and add it to the parent # to maintain relationship # $currElem = $docElem.CreateElement( $currName, $tns ) [void] $parent.AppendChild( $currElem ) } # # Iterate to the next element in hierarchy # $parent = $parent[$currName] } # # Make value canonical to XSD type # if ( $elemData -is [bool]) { $canonElemData = $( if ($elemData) {"true"} else {"false"} ) } else { $canonElemData = $elemData } # # Set the data for the current element # $currElem.InnerText = $canonElemData } # # Function Description: # # This function will add the Server Manager module so that Roles # can be queried # # Arguments: # # None # # Return Value: # # None # function RoleQueryInitialize { Import-Module ServerManager } # # Function Description: # # This function will remove the Server Manager module after the Roles # have been queried # # Arguments: # # None # # Return Value: # # None # function RoleQueryShutdown { Remove-Module ServerManager } # # Function Description: # # This function will check to see if the specified role is installed # # Arguments: # # $roleId - Command Id of the Role # # Return Value: # # $true - If Role is Installed # $false - If Role is not Installed # function IsRoleInstalled ( $roleId ) { $roleInstalled = $false # # Use the Server Manager CmdLet to obtain detail about Role # $Role = Get-WindowsFeature -Name $roleId if ( $Role -ne $null ) { $roleInstalled = $Role.Installed } $roleInstalled } # # Function Description: # # This function will return number of seconds in a given period # # Arguments: # # $periodUnits - Number of Period Units # $period - Period, could be - Seconds, Minutes, Hours, # Days, Weeks, Months OR Years # # Return Value: # # $secondsInPeriod - Number of seconds in given period # function ConvertPeriodToSeconds ( $periodUnits, $period ) { $secondsInPeriod = 0 $secondsInUnit = 0 switch ($period) { "Seconds" { $secondsInUnit = 1 } "Minutes" { $secondsInUnit = 60 } "Hours" { $secondsInUnit = 60*60 } "Days" { $secondsInUnit = 24*60*60 } "Weeks" { $secondsInUnit = 7*24*60*60 } "Months" { $secondsInUnit = 30*24*60*60 } "Years" { $secondsInUnit = 365*24*60*60 } } $secondsInPeriod = $periodUnits * $secondsInUnit $secondsInPeriod } # # Function Description: # # This function will create and return a COM Object # # Arguments: # # $ProgId - Specifies type of COM object to create # # Return Value: # # $comObj - Newly created COM object # $null - if failure # function CreateComObject ( $ProgId ) { $comObj = New-Object -com $ProgId return $comObj } # # Function Description: # # This function will obtain the Config String for the CA identified by $flags # # Arguments: # # $flags - Flags which identify the CA # # Return Value: # # $configString - Config String for the specified CA # $null - if failure # function GetCAConfigString ( $flags ) { $certConfig = CreateComObject "CertificateAuthority.Config.1" if ($certConfig -eq $null) { return $null } $configString = $certConfig.GetConfig( $flags ) return $configString } # # Function Description: # # This function will obtain Type of specified CA # # Arguments: # # $certAdmin - CertificateAuthority Admin object # $configString - Config String which identifies the CA # # Return Value: # # $caType - Type of the specified CA # $null - if failure # function GetCAType ( $certAdmin, $configString ) { if ( !$certAdmin -or !$configString ) { return $null } $caType = $certAdmin.GetCAProperty( $configString, 10, 0, 1, 2 ) return $caType } # # Function Description: # # This function will obtain specified config entry of specified CA # # Arguments: # # $certAdmin - CertificateAuthority Admin object # $configString - Config String which identifies the CA # $nodePath - Node Path for the Config Information # $configEntry - Config Entry to obtain # # Return Value: # # $configEntryVal - Value of Config Entry # $null - if failure # function GetCAConfigEntry( $certAdmin, $configString, $nodePath, $configEntry ) { if ( !$certAdmin -or !$configEntry ) { return $null } $configEntryVal = $certAdmin.GetConfigEntry( $configString, $nodePath, $configEntry ) return $configEntryVal } # # Function Description: # # This function will check if Reg Value data is same as the specified data # # Arguments: # # $regPath - Registry Key path # $regVal - Regsitry Value in the specified path # $data - data to be compared with # # Return Value: # # $true - if discovered data is same as specified data # $false - if there was no discovered data or # discovered data not same as specified data # function CompareRegValueData( $regPath, $regVal, $data ) { $compare = $false if ( !$regPath -or !$regVal ) { return $null } $pathExists = Test-Path $regPath if ( $pathExists -eq $true ) { $item = Get-ItemProperty -path $regPath # # If the $regVal doesnt exist under the $regPath, # $itemData will be $null # $itemData = $item.$regVal if ( $itemData -eq $data ) { $compare = $true } } return $compare } # # Function Description: # # This function will check if CA is Enterprise CA # # Arguments: # # $caTypeEnum - Type of CA to check against # $caType - Type of CA # # Return Value: # # $true - if CA is of specified type # $false - otherwise # function CheckCAType( $caTypeEnum, $caType ) { $compare = $false switch ( $catypeEnum ) { "Enterprise" { # # Compare with ENTERPRISE_ROOTCA(0) or ENUM_ENTERPRISE_SUBCA(1) # if ( ( $caType -eq 0 ) -or ( $caType -eq 1 ) ) { $compare = $true } } "StandAlone" { # # Compare with ENUM_STANDALONE_ROOTCA(3) # if ( $caType -eq 3 ) { $compare = $true } } } return $compare } # # Function Description: # # This function returns the CRL/Delta CRL/AIA urls which # are added to certificates # # Arguments: # # $certAdmin - CertAdmin COM object # $configString - CA config string # $urlRegKey - either the CRL or the AIA key # # Return Value: # # List of published URLs # function GetPublishedURLs( $certAdmin, $configString, $urlRegKey, $flagToCheck) { $publishedUrls = @() $urls = GetCAConfigEntry $certAdmin $configString "" $urlRegKey foreach($url in $urls) { $flag = (($url).Split(':'))[0] if (0 -ne ($flagToCheck -band $flag)) { $publishedUrls += $url } } return $publishedUrls } # # Function Description: # # This function returns the urls with matching scheme # # Arguments: # # $urls - Initial list of URLs # $schemes - list of URL schemes like file, http, https, ldap # # Return Value: # # List of filtered URLs # function GetFilteredURLs($urls, $schemes) { $filteredUrls = @() if (($urls -eq $null) -or ($schemes -eq $null)) { return $filteredUrls } foreach($scheme in $schemes) { # Actual regex for http scheme is "^[0-9]+:http:.*" $schemeRegEx = "^[0-9]+:" + $scheme + ":.*" foreach($url in $urls) { if ($url -imatch $schemeRegEx) { $filteredUrls += $url; break; } } } return $filteredUrls } # # This function will whether check any of the suffixes is a part of any of the urls # # Arguments: # # $urls - list of published URLs # $suffixes - array of suffixes to check for # # Return Value: # # $true - if any of the Suffixes is a part of any of the published URLs # $false - otherwise # function CheckSuffixesInURLs($urls, $suffixes) { $suffixRegEx = "%[0-9]+" $compare = $false if (($urls -eq $null) -or ($suffixes -eq $null)) { return $compare } foreach($url in $urls) { for($urlClone = $url.Clone(); $urlClone -imatch $suffixRegEx; $urlClone = $urlClone.Substring($urlClone.IndexOf($matches[0]) + $matches[0].Length)) { foreach($suffix in $suffixes) { if ($matches[0] -eq $suffix) { $compare = $true break } } if ($compare) { break } } if ($compare) { break } } return $compare } # # This function will check whether any url is https or https and whether it is a local server # # Arguments: # # $urls - list of published URLs # # Return Value: # # $true - if the Web URL is local # $false - otherwise # function CheckLocalWebURLs($urls) { $local = $false if ($urls -eq $null) { return $local } foreach($url in $urls) { # # %1, %2 is the URL template value for the ServerDNSName and ServerShortName respectively # if (($url -imatch "^([0-9]+:https?://%[12](/?)|(/.+))") ) { $local = $true break } } return $local } # # This function will check whether any url is https or https and whether it is a remote server # # Arguments: # # $urls - list of published URLs # # Return Value: # # $true - if the Web URL is remote # $false - otherwise # function CheckRemoteWebURLs($urls) { $remote = $false if ($urls -eq $null) { return $remote } foreach($url in $urls) { if ($url -imatch "^([0-9]+:https?://.*)") { $local = CheckLocalWebURLs @($url) if ($local -eq $false) { $remote = $true break } } } return $remote } # # This function will check whether any of the DB files are on the system drive # # Arguments: # # $certAdmin - ICertAdmin2 object # # Return Value: # # $true - if the DB files are on the system drive # $false - otherwise # function CheckDBFilesOnSystemDrive ($certAdmin) { $systemDrivePrefix = (get-childItem -path Env:\SystemDrive).Value + "*" $dbFilesPath = @("DBDirectory", "DBLogDirectory", "DBTempDirectory", "DBSystemDirectory") foreach($dbfile in $dbFilesPath) { $dbDir = GetCAConfigEntry $certAdmin "" "" $dbfile if ($dbDir -ilike $systemDrivePrefix) { return $true } } return $false } # # ------------------ # FUNCTIONS - END # ------------------ # # # ------------------------ # SCRIPT MAIN BODY - START # ------------------------ # # # Initialize to perform querying Role information # RoleQueryInitialize $ADCSCertAuthorityInstalled = IsRoleInstalled "ADCS-Cert-Authority" $WebWebServerInstalled = IsRoleInstalled "Web-WebServer" # # Role Information obtained. # RoleQueryShutdown # # Set the Target Namespace to be used by XML # $tns="http://schemas.microsoft.com/bestpractices/models/ServerManager/CertificateServices/CertificateServicesComposite/2008/04" # # Create a new XmlDocument # $doc = Create-DocumentElement $tns "CertificateServicesComposite" # # If ADCS-Cert-Authority is installed and running, we need to # if ($ADCSCertAuthorityInstalled -eq $true) { # # Pre-Check whether the service is running # $ADCSRunning = (get-service certsvc).Status -eq "Running" if ($ADCSRunning -eq $false) { AddElementToDocument $doc $tns $true "PreCheck" } else { # # Create the Certificate Admin Object # $certAdmin = CreateComObject "CertificateAuthority.Admin.1" # # Obtain the config string for the CA using CC_LOCALCONFIG (0x3) # $certConfigFlags = 0x3 $configString = GetCAConfigString $certConfigFlags # # Obtain the type of CA # $caType = GetCAType $certAdmin $configString # # Check to see if this is an Enterprise CA # if ( CheckCAType "Enterprise" $caType ) { # # Check to see if User Auto Enrollment Policy has been set correctly # $userAEPolicySet = CompareRegValueData "HKCU:\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" "AEPolicy" 7 # # Adding this value to the XML Document # AddElementToDocument $doc $tns $userAEPolicySet "ADCSCertAuthority" "UserAEPolicySet" # # Check to see if Machine Auto Enrollment Policy has been set correctly # $machineAEPolicySet = CompareRegValueData "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" "AEPolicy" 7 # # Adding this value to the XML Document # AddElementToDocument $doc $tns $machineAEPolicySet "ADCSCertAuthority" "MachineAEPolicySet" } # # Check to see if this is a StandAlone CA # if ( CheckCAType "StandAlone" $caType ) { # # Obtain the CRL period and period units # $period = GetCAConfigEntry $certAdmin $configString "" "CRLPeriod" $periodUnits = GetCAConfigEntry $certAdmin $configString "" "CRLPeriodUnits" # # Convert the period in seconds # $periodInSeconds = ConvertPeriodToSeconds $periodUnits $period # # Adding this value to the XML Document # AddElementToDocument $doc $tns $periodInSeconds "ADCSCertAuthority" "CRLPeriodInSeconds" } # # Obtain the Edit Flags and check if EDITF_ATTRIBUTESUBJECTALTNAME2 (0x40000) has been set # $editFlags = GetCAConfigEntry $certAdmin $configString "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy" "EditFlags" $editFlagsSANEnabled = $( if ( $editFlags -band 0x40000 ) { $true } else { $false } ) # # Adding this value to the XML Document # AddElementToDocument $doc $tns $editFlagsSANEnabled "ADCSCertAuthority" "EditFlagsSANEnabled" # # Obtain the Request Disposition # $requestDisposition = GetCAConfigEntry $certAdmin $configString "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy" "RequestDisposition" # # Adding this value to the XML Document # AddElementToDocument $doc $tns $requestDisposition "ADCSCertAuthority" "RequestDisposition" # # Check if CDP URLs are published to certs # 2 is CSURL_ADDTOCERTCDP # $crlURLs = GetPublishedURLs $certAdmin $configString "CRLPublicationURLs" 2 $crlURLsPublished = $null -ne $crlURLs # # Adding this value to the XML Document # AddElementToDocument $doc $tns $crlURLsPublished "ADCSCertAuthority" "CRLURLs" # # Check if AIA URLs are published to certs # 2 is CSURL_ADDTOCERTCDP # $aiaURLs = GetPublishedURLs $certAdmin $configString "CACertPublicationURLs" 2 $aiaURLsPublished = $null -ne $aiaURLs # # Adding this value to the XML Document # AddElementToDocument $doc $tns $aiaURLsPublished "ADCSCertAuthority" "AIAURLs" # # Check if the Key Suffix is a part of the CRL / Delta CRL location published to certs # 2 is CSURL_ADDTOCERTCDP, 4 is CSURL_ADDTOFRESHESTCRL # $deltaCrlURLs = GetPublishedURLs $certAdmin $configString "CRLPublicationURLs" 4 $deltaCRLperiodUnits = GetCAConfigEntry $certAdmin $configString "" "CRLDeltaPeriodUnits" $deltaCrlURLsPublished = ($null -ne $deltaCrlURLs) -and ($deltaCRLperiodUnits -ne 0) # # %4, %8 is the URL template value for the Key Suffx # $keySuffixes = @("%4", "%8") $crlKeySuffixCRL = CheckSuffixesInURLs $crlURLs $keySuffixes $crlKeySuffixDeltaCRL = CheckSuffixesInURLs $deltaCrlURLs $keySuffixes $crlKeySuffix = $true if ($crlURLsPublished) { $crlKeySuffix = $crlKeySuffixCRL } if ($deltaCrlURLsPublished) { $crlKeySuffix = $crlKeySuffix -and $crlKeySuffixDeltaCRL } if ($crlURLsPublished -or $deltaCrlURLsPublished) { # # Adding this value to the XML Document # AddElementToDocument $doc $tns $crlKeySuffix "ADCSCertAuthority" "CRLKeySuffix" } # # Check if the Key Suffix is a part of the AIA location published to certs # if ($aiaURLsPublished) { $aiaKeySuffixSchemes = @("http", "https", "file") $aiaKeySuffixURLs = GetFilteredURLs $aiaURLs $aiaKeySuffixSchemes if ($aiaKeySuffixURLs.Length -gt 0) { $aiaKeySuffix = CheckSuffixesInURLs $aiaKeySuffixURLs $keySuffixes # # Adding this value to the XML Document # AddElementToDocument $doc $tns $aiaKeySuffix "ADCSCertAuthority" "AIAKeySuffix" } } # # Check if the Local http URLs are a part of the CRLs or delta CRLs # $cdpUrls = $null if ($crlURLsPublished) { $cdpUrls = $crlURLs } if ($deltaCrlsURLsPublished) { $cpdUrls = $cdpUrls + $deltaCrlURLs } if ($null -ne $cdpUrls) { $localCDPWebURL = CheckLocalWebURLs $cdpUrls if ($localCDPWebURL) { AddElementToDocument $doc $tns $WebWebServerInstalled "ADCSCertAuthority" "CRLLocalWebURLs" } } if ($aiaURLsPublished) { $localAIAWebURL = CheckLocalWebURLs $aiaURLs if ($localAIAWebURL) { AddElementToDocument $doc $tns $WebWebServerInstalled "ADCSCertAuthority" "AIALocalWebURLs" } } # # Check if Delta CRL is enabled and included in certs and that the URL is non-local http # if ($deltaCrlURLsPublished) { $remoteDeltaCrlWebURL = CheckRemoteWebURLs $deltaCrlURLs # # %9 is the URL template value for the delta CRL Suffix # $deltaCrlSuffix = CheckSuffixesInURLs $deltaCrlURLs @("%9") $deltaCRLRemoteWebURLs = $remoteDeltaCrlWebURL -and $deltaCrlSuffix AddElementToDocument $doc $tns $deltaCRLRemoteWebURLs "ADCSCertAuthority" "DeltaCRLRemoteWebURLs" } # # Check if the DB files are in the system directory # $dBFilesOnSystemDrive = CheckDBFilesOnSystemDrive $certAdmin AddElementToDocument $doc $tns $dBFilesOnSystemDrive "ADCSCertAuthority" "DBFilesOnSystemDrive" } } else { AddElementToDocument $doc $tns $true "NoneApplicable" } # # send the document to the output stream # $doc # # ------------------------ # SCRIPT MAIN BODY - END # ------------------------ #