Paul Fox has uploaded a revision of his former Windows PowerShell CRL Copy script. The new script is posted at the TechNet Gallery as Windows PowerShell Copy 2 . The Windows PowerShell script monitors the remaining lifetime of a CRL, publishes a CRL to...

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library . I also created a vanity short URL to it http://aka.ms/pkilibrary . Finding all our different information on AD CS and PKI can be challenging, so this reorganization...

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private...

I have consolidated and updated two command line utilities recently: Certreq Certutil I took all the older links that I could find and pointed them to the locations above and then pointed out to the examples that we have already. Feel free to...

It is very common to check the configuration of any certification authority using certutil –getreg command. The command will allow a CA administrator to view the configured settings at a glance. But what if you need to configure advanced...

Many customers must perform a regulatory audit annually to comply with industry standards and business trends. Recently I was contacted by one of my customers, who was not able to view all of Certificate Revocation Lists (CRLs) issued by their Enterprise...

Hi there, I am a test engineer in the Windows team working on certificate enrollment related areas. Today I want to talk about certificates for Windows RT devices Windows RT devices run on ARM processor , which is different from a typical computer...

A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported PFX files (those in PKCS#12) to Active Directory Domain Services (AD DS) accounts. The feature is available only if you have a Windows Server 2012 domain...

Microsoft released a security advisory, KB article, and software update for all supported versions of Windows that blocks RSA certificates with keys less than 1024 bits. The software update was released to the Download Center. The security advisory...

On August 14, 2012, Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use...

Fabian Müller, Premier Field Engineer (PFE) in Germany, just wrote a detailed article discussing a commonly asked question: how do I determine if a smart card was used for logon ? The article is posted on the TechNet Wiki with a link to the Script...

Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough...

There are a number of known untrusted certificates and compromised keys that have been issued by standard trusted root certification authorities. To help customers avoid interacting with these untrusted or compromised certificates and keys, an Automatic...

During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article , I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing...

I was recently helping a customer deploy a SHA-256 based PKI. As part of the retirement of their old PKI, we reissued the code signing certificates used by their developers. We found that the Visual Studio 2010 developers had no issue with the new code...

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the...

The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have already made a few updates that were requested. The old download center location has been updated to reflect that we've posted to the update to the TechNet Wiki...

Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based on frequently asked questions from customers. These articles posted as: Security Best Practices for Offline CAs and Offline CA Maintenance Tasks...

A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory Domains document has just been posted to the download center. The follow-up document demonstrates the increased flexibility of FIPS 201 PIV-II compliant smart...

Important notice : Microsoft does not support any apple products, if you need to troubleshoot any problem related to apple products, please refer to http://www.apple.com/support I am often asked by customers how to deploy certificates to iPads using...

Jonathan Stephens posted an excellent Blog about this topic ; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps...

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if...

Microsoft MVP, Vadims Podans , has written and posted a Windows PowerShell script that can be used to setup a certification authority (CA). He posted his Windows PowerShell Script on the TechNet Script Repository as Setup Certification Authority with...

I am often asked when talking to my customers about the differences between Key Recovery and Data Recovery for encrypted files, in addition to which method to use. As a result, This Blog will focus on both areas, explaining the differences and best practices...

The Windows KB article 889250 titled "How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000" has been revised on the TechNet Wiki to include information...