I was recently helping a customer deploy a SHA-256 based PKI. As part of the retirement of their old PKI, we reissued the code signing certificates used by their developers. We found that the Visual Studio 2010 developers had no issue with the new code...

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the...

The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have already made a few updates that were requested. The old download center location has been updated to reflect that we've posted to the update to the TechNet Wiki...

Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based on frequently asked questions from customers. These articles posted as: Security Best Practices for Offline CAs and Offline CA Maintenance Tasks...

A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory Domains document has just been posted to the download center. The follow-up document demonstrates the increased flexibility of FIPS 201 PIV-II compliant smart...

Important notice : Microsoft does not support any apple products, if you need to troubleshoot any problem related to apple products, please refer to http://www.apple.com/support I am often asked by customers how to deploy certificates to iPads using...

Jonathan Stephens posted an excellent Blog about this topic ; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps...

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if...

Microsoft MVP, Vadims Podans , has written and posted a Windows PowerShell script that can be used to setup a certification authority (CA). He posted his Windows PowerShell Script on the TechNet Script Repository as Setup Certification Authority with...

I am often asked when talking to my customers about the differences between Key Recovery and Data Recovery for encrypted files, in addition to which method to use. As a result, This Blog will focus on both areas, explaining the differences and best practices...

The Windows KB article 889250 titled "How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000" has been revised on the TechNet Wiki to include information...

A common question from certification authority administrators is "Does Enterprise PKI (PKIView) support OCSP?" Yes, the Microsoft Management Console (MMC) Enterprise PKI ( PKIView ), supports the When setting up Certificate Extensions, you must ensure...

Ingolfur has written a blog post as well as a TechNet Wiki article describing how a Windows Server 2008 R2 certification authority (CA) parses certificates, especially those from a third-party (3rd party) non-Microsoft CA. He also covers the Key Distribution...

If you are using Windows Developer Preview and have difficulty obtaining or downloading a certificate using Internet Explorer 10 (IE 10), try using compatibility mode. Turning on Compatibility View is the same in IE10 as in IE9, so you can follow the...

If you run into an issue where you are unable to download or save certificates using Internet Explorer 9 (IE 9) and the Certificate Authority Web Enrollment service of a certification authority, you should be sure to disable the enhanced security option...

If you have commonly asked questions about certificate services or PKI that you think should be listed in the Active Directory Certificate Services Frequently Asked Questions (AD CS FAQ ) list, I encourage you to submit them to the TechNet Wiki posting...

The following documentation updates have been recently made: AD CS: Deploying Cross-forest Certificate Enrollment - updated with a link to the download center version of the document Additional documents added to the "future" consolidated download...

An important security update, described in MS11-051 ( http://go.microsoft.com/fwlink/?LinkId=217101 ) was released today. The update fixes a cross-site scripting vulnerability in the sample web enrollment ASP pages that are part of Active Directory Certificate...

LDAP over SSL (LDAPS) is becoming an increasingly hot topic - perhaps it is because Event Viewer ID 1220 is catching people's attention in the Directory Service Log or just that people are wanting the client to server LDAP communication encrypted. The...

Background On December 1, 2010 the Federal PKI Management Authority (FPKIMA), in compliance with NIST guidance , created a new SHA-256 Federal Common Policy root certification authority. Windows Update will include the new Federal Common Policy Root...

Hi there, this is Larry, Developer from US, and Fabian, PFE from Germany, writing about an uncommon scenario that might raise questions sometimes. When enrolling certificates to clients or users, you might want to have control regarding the initial...

PKIVIEW was first introduced in Windows Server 2003 Resource kit. The tool is installed by default when you install the Windows 2008 Active Directory Certificate Services Role, and had been re-branded as "Enterprise PKI". The tool is implemented as a...

An active member of our community developed a very handy tool to verify - or let's actually say monitor - the validity of SSL server certificates. After downloading and extracting the the ZIP-file the tool is quite self explanatory. Press CTRL+A or click...

Since my last post about SHA2 and Windows I’ve received numerous questions from customers and partners around three particular scenarios. This post will try to address those questions. Windows XP/2003 Enrollment in SHA2 Signed Certificates...

UPDATE (2/8): Based on some recent questions, additional information has been posted about SHA2 and Windows. Introduction We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows...