Windows PKI blog
News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals
A Certificate could not be created
Active Directory Domain Services
AD CS documentation updates
Advanced CA Configuration
automatic updater of CTL
Backup Private Keys ADCS 2008 R2 p12 CA
blocking less than 1024 bit keys
blocking less than 1024 bit RSA keys
blocking weak keys
certificate export wizard
Certificate Revocation List
certificate services questions
decomission CA Windows Server 2008 R2
determine if used
does not work
EFS Key Recover
Encrypted File System
Event ID 29
fails does not work IE 9 Internet Explorer 9 Certificate Authority Web Enrollment
Homeland Security Presidential Directive 12
Internet Explorer 10
LDAP SSL LDAPS
OCSP PKIVIEW certificate certification authority snap-in
offline CA maintenance
PKI documentation and Reference Library
Public Key Infrastructure
security update pki web services enrollment
SHA2 NIST SP800-78-2 SP800-57
smart card logon
Browse by Tags
Windows PKI blog
Tagged Content List
Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One
Jonathan Stephens posted an excellent Blog about this topic ; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps: 1- There is a new valid Certification Authority...
27 Jan 2012
Automated CA installs using VB script on Windows Server 2008 and 2008R2 [UPDATED]
Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used by the product team in our testing of Certificate...
18 Sep 2009
How to configure the Windows Server 2008 CA Web Enrollment Proxy
A co-worker posted an interesting blog about configuring the Windows Server 2008 CA Web Enrollment proxy at http://blogs.technet.com/askds/archive/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy.aspx .
23 Apr 2009
Certificate distribution and the Microsoft Terminal Services Client
A few days ago I worked in a test environment that also consists of a PKI. I used the Microsoft Terminal Services Client (mstsc.msc) for a while to connect to various machines in the test environment. One day, I helped a coworker troubleshooting a certificate problem in the test environment. From his...
9 Feb 2009
Certificate Services setup failed with the following error: Element not found. 0x80070490
Until Windows Server 2008 shipped, every Domain Controller had a readable and writable copy of the Active Directory schema, domain naming context and configuration naming context. This statement changed when we introduced the Read Only Domain Controller (RODC) role with Windows Server 2008. The RODC...
26 Jan 2009
How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003
Today I want to comment on the quite popular Microsoft Knowledgebase article How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server . I am referring to version 6.0 of the article with a review date of...
18 Jan 2009
Suppressing certificate attributes in a CA certificate request
When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate attributes is included. This blog entry explains how to eliminate attributes that would go into the CA certificate request by default. Imagine that you are setting up a new subordinate CA where the parent CA is...
5 Oct 2008
You cannot add V2 or V3 templates after an inplace upgrade was performed on a Windows Server 2008 enterprise CA
Technically, it is possible to install an enterprise CA on a Windows Server Standard edition. With this configuration, enterprise features of the certification authority are intentionally not available. To enable the CA enterprise features, it is required to upgrade a Windows Server from Standard to...
31 Jul 2008
How EffectiveDate (thisupdate), NextUpdate and NextCRLPublish are calculated
The validity time of a certificate revocation list (CRL) is critical for every public key infrastructure. By default, most applications verify the validity of certificates against a CRL. Two CRL types exist: base CRLs and delta CRLs. In case where no delta CRL is used, certificates are treated as...
4 Jun 2008
How to refresh the CRL cache on Windows Vista
By default, Windows is caching Certificate Revocation Lists (CRL) and CA certificates to quickly verify certificate chains. The downside of this behavior is that a newer CRL is not picked up by the client until the locally cached CRL has expired. Windows versions before Windows Vista do not support deletion...
13 Sep 2007
How to re-install the default certificate templates?
When you launch the certificate templates MMC snap-in (certtmpl.msc) for the first time, the certificate templates are installed automatically in the background. Installing the templates is independent of the availability of an enterprise CA. Enterprise Administrator permissions are required to successfully...
6 Aug 2007
The missing EDIT button in the CA properties extensions tab
To adjust the CRL and AIA distribution point there are at least three choices to do it. The most familiar way to change the distribution point might be through the CA MMC user interface. The second way is to directly change the registry key CACertPublicationURLs or CRLPublicationURLs with regedit.exe...
27 May 2007
Manually publishing a CA certificate or CRL into a LDAP store
The CA is automatically publishing its own certificates and related CRLs into Active Directory if a LDAP reference is configured in the CA property “Extensions”. If you are using a different LDAP server (such as Microsoft ADAM ) to make the CA certificate and CRL available, certificates and CRLs must...
13 Apr 2007
How to find out the max size of certificate attributes
The other day I was asked how many subject alternate names will fit into a single certificate. I asked myself what the best way would be to find out. After a short time of thinking I decided to look at the schema defintion of the CA database. The schema will tell for sure how many characters fit into...
26 Feb 2007
How to exclude the certificate template name from certificates to be issued
By default, a Windows CA enterprise CA adds information about the used certificate template to issued certificates. These certificate attributes are especially important to perform certificate autoenrollement. However, in heterogeneous environments you may have the requirement not to include the certificate...
3 Jan 2007
A file distribution point must follow the UNC syntax
Several whitepapers explain the three valid protocols (HTTP, LDAP or FILE) to retrieve a Certificate Revocation List (CRL) or the Authority Information Access (AIA). However, none of these whitepapers is specific about the syntax for the file protocol (file://). The simple answer is that a CRL or...
4 Dec 2006
Page 1 of 1 (16 items)
© 2013 Microsoft Corporation.
Privacy & Cookies