TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Internet Explorer
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Lync
See all products »
Resources
Curah! curation service
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Subscriptions
TechNet Video
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Microsoft Update
Trials
Windows Server 2012 R2
System Center 2012 R2
Microsoft SQL Server 2012 SP1
Windows 8.1 Enterprise
See all trials »
Related Sites
Microsoft Download Center
TechNet Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
e-Learning overview
Certifications
Certification overview
MCSA: Windows 8
Windows Server Certification (MCSE)
Private Cloud Certification (MCSE)
SQL Server Certification (MCSE)
Other resources
TechNet Events
Second shot for certification
Born To Learn blog
Find technical communities in your area
Support options
For small and midsize businesses
For enterprises
For developers
For IT professionals
From partners
For technical support
Support offerings
For home users
More support
Microsoft Premier Online
Microsoft Fix It Center
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
International support solutions
Log a support ticket
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Windows PKI blog
News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals
Options
Email Blog Author
RSS for posts
Atom
RSS for comments
OK
Search Blogs
Tags
A Certificate could not be created
Active Directory Domain Services
AD CS
AD CS documentation updates
Architecture
CA maintenance
Certificate
certificate requests
Certificates
certification authority
certifiication authority
certutil
configuration
cryptography
Data Recvoery
Homeland Security Presidential Directive 12
HSPD-12
key management
PKI
Public Key Infrastructure
Setup
SHA1
SHA2 NIST SP800-78-2 SP800-57
usability
Whitepaper
Archive
Archives
September 2014
(1)
July 2014
(1)
June 2014
(1)
April 2014
(1)
March 2014
(1)
February 2014
(1)
January 2014
(1)
November 2013
(1)
September 2013
(1)
August 2013
(1)
May 2013
(1)
March 2013
(3)
December 2012
(3)
October 2012
(1)
August 2012
(1)
July 2012
(1)
June 2012
(3)
May 2012
(2)
April 2012
(2)
March 2012
(2)
February 2012
(1)
January 2012
(2)
December 2011
(1)
October 2011
(3)
September 2011
(2)
August 2011
(3)
June 2011
(2)
March 2011
(2)
February 2011
(3)
September 2010
(1)
August 2010
(3)
June 2010
(2)
May 2010
(2)
April 2010
(2)
March 2010
(2)
February 2010
(1)
January 2010
(2)
December 2009
(2)
November 2009
(2)
October 2009
(2)
September 2009
(7)
August 2009
(10)
July 2009
(1)
June 2009
(2)
May 2009
(2)
April 2009
(2)
February 2009
(1)
January 2009
(4)
December 2008
(2)
October 2008
(3)
September 2008
(1)
July 2008
(1)
June 2008
(1)
May 2008
(1)
April 2008
(1)
February 2008
(2)
January 2008
(1)
November 2007
(1)
October 2007
(1)
September 2007
(1)
August 2007
(2)
July 2007
(2)
May 2007
(2)
April 2007
(1)
February 2007
(4)
January 2007
(1)
December 2006
(3)
November 2006
(1)
Windows PKI blog
TechNet Blogs
»
Windows PKI blog
Sort by:
Most Recent
|
Most Views
|
Most Comments
Excerpt View
|
Full Post View
Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 3: Key Attestation
Posted
4 months ago
by
WesH [MSFT]
3
Comments
Hey Everyone, I am back with the last part of this 3 of this series on TPM protected certificates. The last topic for this series is on Key Attestation. Recently I have had a few people ask me about the Key Attestation tab in Windows Server 2012 R2. Another...
Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 2: Virtual Smart Cards
Posted
6 months ago
by
WesH [MSFT]
10
Comments
Hey Everyone, I am back with part 2 of this 3 part series on TPM protected certificates. The topics covered in this are related to Virtual Smart Cards, their benefits, and lastly their limitations. I will also cover how to create a Virtual Smart Cards...
Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 1: Microsoft Platform Crypto Provider
Posted
7 months ago
by
WesH [MSFT]
5
Comments
Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This is part one of a three part series...
Windows Server 2012 R2/IIS8.5 - Automatic Rebind of Renewed Certificates
Posted
9 months ago
by
Amerk [MSFT]
2
Comments
Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog about automatic renewal of web site certificates. The original blog can be found in the references below. IIS 8.5 in Windows Server 2012 R2 includes...
Constraints: what they are and how they’re used
Posted
11 months ago
by
Amerk [MSFT]
4
Comments
Hey everyone this is Wes Hammond from Premier Field Engineering and I wanted to share with you some info that I have gathered about setting up constraints. What are Constraints? Constraints are used to restrict certificate authorities that you DO...
A novel method in IE11 for dealing with fraudulent digital certificates
Posted
11 months ago
by
Saboori Anoosh
15
Comments
Digital certificates are a key mechanism for establishing identity on the Internet. Trust in these certificates is a result of trusting the issuing entity - the Certification Authority (CA). Unfortunately, as a result of a number of CA related incidents...
[CrossPost] Microsoft PKI OCSP Responder Now JITC Certified and Lab Setup Guide
Posted
over 1 year ago
by
Adam Stasiniewicz
1
Comment
For those that missed the big news on the Ask Premier Field Engineering (PFE) Platforms blog, our OCSP responder is now JITC certified. This certification is important for customers looking to deploy our OCSP responder in US DoD environments. Jesse Esquivel...
SHA1 Deprecation Policy
Posted
over 1 year ago
by
Amerk [MSFT]
89
Comments
Today Microsoft has announced a new policy for Certificate Authorities (CAs) that deprecates the use of the SHA1 algorithm in SSL and code signing certificates, in favor of SHA2. The policy affects CAs who are members of the Windows Root Certificate Program...
Upgrade Certification Authority to SHA256
Posted
over 1 year ago
by
Amerk [MSFT]
12
Comments
A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result, an upgrade...
Renew Web Server (SSL) Certificates Automatically
Posted
over 1 year ago
by
Amerk [MSFT]
11
Comments
Working with Internet Information Services (IIS) certificates can be a bit challenging especially during renewal time. Most organizations do not track Web SSL certificates which in turn might expire and cause an unplanned outage. Those who track this...
Windows PowerShell CRL Copy v2 posted to the gallery
Posted
over 1 year ago
by
Kurt L Hudson MSFT
1
Comment
Paul Fox has uploaded a revision of his former Windows PowerShell CRL Copy script. The new script is posted at the TechNet Gallery as Windows PowerShell Copy 2 . The Windows PowerShell script monitors the remaining lifetime of a CRL, publishes a CRL to...
PKI Library (PKI Documentation and Reference Library Updated)
Posted
over 1 year ago
by
Kurt L Hudson MSFT
3
Comments
Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library . I also created a vanity short URL to it http://aka.ms/pkilibrary . Finding all our different information on AD CS and PKI can be challenging, so this reorganization...
Windows Server 2012 Active Directory Certificate Services System State Backup and Restore
Posted
over 1 year ago
by
Amerk [MSFT]
4
Comments
Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private...
Certutil and Certreq
Posted
over 1 year ago
by
Kurt L Hudson MSFT
15
Comments
I have consolidated and updated two command line utilities recently: Certreq Certutil I took all the older links that I could find and pointed them to the locations above and then pointed out to the examples that we have already. Feel free to...
Query for Advanced CA Configuration Options
Posted
over 2 years ago
by
Amerk [MSFT]
2
Comments
It is very common to check the configuration of any certification authority using certutil –getreg command. The command will allow a CA administrator to view the configured settings at a glance. But what if you need to configure advanced...
Viewing Expired Certificate Revocation List (CRL)
Posted
over 2 years ago
by
Amerk [MSFT]
2
Comments
Many customers must perform a regulatory audit annually to comply with industry standards and business trends. Recently I was contacted by one of my customers, who was not able to view all of Certificate Revocation Lists (CRLs) issued by their Enterprise...
Certificate for WinRT devices and non-domain member devices
Posted
over 2 years ago
by
Chunhua Chen
Hi there, I am a test engineer in the Windows team working on certificate enrollment related areas. Today I want to talk about certificates for Windows RT devices Windows RT devices run on ARM processor , which is different from a typical computer...
Group Protected PFX
Posted
over 2 years ago
by
Kurt L Hudson MSFT
A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported PFX files (those in PKCS#12) to Active Directory Domain Services (AD DS) accounts. The feature is available only if you have a Windows Server 2012 domain...
Blocking RSA keys less than 1024 bits (part 3)
Posted
over 2 years ago
by
Kurt L Hudson MSFT
Microsoft released a security advisory, KB article, and software update for all supported versions of Windows that blocks RSA certificates with keys less than 1024 bits. The software update was released to the Download Center. The security advisory...
Blocking RSA Keys less than 1024 bits (part 2)
Posted
over 2 years ago
by
Kurt L Hudson MSFT
On August 14, 2012, Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use...
How to determine if a smart card was used for logon
Posted
over 2 years ago
by
Kurt L Hudson MSFT
Fabian Müller, Premier Field Engineer (PFE) in Germany, just wrote a detailed article discussing a commonly asked question: how do I determine if a smart card was used for logon ? The article is posted on the TechNet Wiki with a link to the Script...
RSA keys under 1024 bits are blocked
Posted
over 2 years ago
by
Kurt L Hudson MSFT
60
Comments
Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough...
Announcing the automated updater of untrustworthy certificates and keys
Posted
over 2 years ago
by
Kurt L Hudson MSFT
16
Comments
There are a number of known untrusted certificates and compromised keys that have been issued by standard trusted root certification authorities. To help customers avoid interacting with these untrusted or compromised certificates and keys, an Automatic...
Request File Can’t be Located during CA Certificate Renewal
Posted
over 2 years ago
by
Amerk [MSFT]
4
Comments
During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article , I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing...
Visual Basic for Applications and SHA2
Posted
over 2 years ago
by
Adam Stasiniewicz
I was recently helping a customer deploy a SHA-256 based PKI. As part of the retirement of their old PKI, we reissued the code signing certificates used by their developers. We found that the Visual Studio 2010 developers had no issue with the new code...
>