Raf's laboratory Raffaele Rialdi personal website

There are new huge news for DeployManager tool that I initially released last year (http://www.iamraf.net/Tools/DeployManager-first-release-certificates-management).
Here is a list of the new additions.

Filtering

There is a new toolbar that enable filtering capabilities in both the tree and the listview.

• Case insensitive search
• Inclusive filters () display all certificates that contain the typed text in the name or thumbprint
• Exclusive filters () display all certificates that do NOT contain the typed text in the name or thumbprint
• Clear the filter () restore the full view

As you type the filter text in the toolbar, the tree and list views are automatically updated. The tree's leaf that contain certificate matching the filter become red. The listview is updated and show only the filtered certificates.

Detailed informations

The listview display new detailed informations:

• The certificate icons contain a key only for certificates that have private keys
• Expired certificates in red (if the certificate is not yet valid, StartDate is highlighted)

• New FriendlyName and Template Name columns
• Large tooltip with some basic info and all the certificate extensions

Pick a user or group

Often there is the need to change the ACLs for the certificate key container. Assigning the ACLs was already possible with the previous release.

 

In this new version, you can manage local machine users and groups:

• Create a new local or global group
• Add users to a group
• Remove users from a group
• Select a user or group so that you can use it for assigning the ACLs on the certificate file

I explicitly did not implement the "remove group" feature as removing a group can be dangerous.

This dialog is very useful when you want to use an IIS "managed account".

Typically you may want to:

• Create a new group
• Add a "managed account" (for example "IIS AppPool\DefaultAppPool") to the new group
• Open the SQL Management application (or whatelse application) and assign the permissions to the new group

Managed accounts are not Windows accounts, so you will not see them in the "Computer Manager" management console nor the SQL Management application.

Support for Subject Alternative Name (SAN) Extension

The "New Certificate" tab have been improved to support the SAN extension. SAN extension let you provide additional Name (alias) for the certificate.

The X500 Name for the certificate could already specify wildcard names (CN=*.mydomain.com).

With SAN extension it is possible to specify multiple domains in addition to the primary X500 name. For example www.mydomain.net and www.mydomain.org. SAN extension support different kind of names. This tool support:

• DNS Name (typically used for SSL certificates)
• RFC822 Name (typically used for emails)
• URL

Certificate friendly name

Certificates friendly names are a store-specific property that can provided while importing the certificate.

The "New Certificate" tab was changed in order to support the friendly name while adding the new certificate into the store(s). The "Save the certificate on disk" is not affected.

Improved UAC support

Many tool features do not require being an administrator. Obviously there are others, like installing a certificate, changing ACLs, etc., that do require administrative privileges. As security tokens can be assigned only during the initial process creation, elevating an application is not an easy task. Task manager, for example, do close and reopen itself.

I've choosen a different solution, and for each solution the application title change accordingly:

1. normal users can only use 'basic' functionality
   
2. normal users can elevate the application in order to use advanced functionality. To achieve this behavior, a new instance of the application is loaded with administrator privileges. The new process has no User Interface and "talk" with the application UI (that was never closed) in order to complete administrative tasks.
   
3. administrators can directly use the advanced features without having to run the second application instance.
   

Furthermore the elevation process is faster as I totally reviewed the interoperability with the native operating system API.

Tip Icons

There are a number of icons. Just place the mouse over the icon and read the tip.

Other features

• Save certificate dialog now support the "p12" extension. Please note that "pfx" and "p12" is exactly the same file format.
• The tool file size is considerably reduced although there are a lot of new features
• A number of bugs have been fixed. (multiple certificate dialog opened on double-click)

Download the latest release (alpha 8) here.