Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Browse by Tags

Related Posts
  • Blog Post: Blocking RSA Keys less than 1024 bits (part 2)

    On August 14, 2012, Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of cryptographic keys that are less than 1024 bits...
  • Blog Post: How to determine if a smart card was used for logon

    Fabian Müller, Premier Field Engineer (PFE) in Germany, just wrote a detailed article discussing a commonly asked question: how do I determine if a smart card was used for logon ? The article is posted on the TechNet Wiki with a link to the Script Center for your convenience. Check out the article...
  • Blog Post: Certutil and Certreq

    I have consolidated and updated two command line utilities recently: Certreq Certutil I took all the older links that I could find and pointed them to the locations above and then pointed out to the examples that we have already. Feel free to give me feedback on these consolidated documents...
  • Blog Post: How EffectiveDate (thisupdate), NextUpdate and NextCRLPublish are calculated

    The validity time of a certificate revocation list (CRL) is critical for every public key infrastructure. By default, most applications verify the validity of certificates against a CRL. Two CRL types exist: base CRLs and delta CRLs. In case where no delta CRL is used, certificates are treated as...
  • Blog Post: Blocking RSA keys less than 1024 bits (part 3)

    Microsoft released a security advisory, KB article, and software update for all supported versions of Windows that blocks RSA certificates with keys less than 1024 bits. The software update was released to the Download Center. The security advisory is located at http://technet.microsoft.com/security...
  • Blog Post: PKI Library (PKI Documentation and Reference Library Updated)

    Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library . I also created a vanity short URL to it http://aka.ms/pkilibrary . Finding all our different information on AD CS and PKI can be challenging, so this reorganization will hopefully help you. If you see articles...
  • Blog Post: Windows PowerShell CRL Copy v2 posted to the gallery

    Paul Fox has uploaded a revision of his former Windows PowerShell CRL Copy script. The new script is posted at the TechNet Gallery as Windows PowerShell Copy 2 . The Windows PowerShell script monitors the remaining lifetime of a CRL, publishes a CRL to a UNC and\or NTFS location and sends notifications...
  • Blog Post: Announcing the automated updater of untrustworthy certificates and keys

    There are a number of known untrusted certificates and compromised keys that have been issued by standard trusted root certification authorities. To help customers avoid interacting with these untrusted or compromised certificates and keys, an Automatic Updater of revoked certificates is now available...
  • Blog Post: HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

    A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory Domains document has just been posted to the download center. The follow-up document demonstrates the increased flexibility of FIPS 201 PIV-II compliant smart cards with Windows Server® 2008 R2 Active...
  • Blog Post: RSA keys under 1024 bits are blocked

    Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough using the computing power at disposal. The threat...
  • Blog Post: Query for Advanced CA Configuration Options

    It is very common to check the configuration of any certification authority using certutil –getreg command. The command will allow a CA administrator to view the configured settings at a glance. But what if you need to configure advanced settings on your CA? How can you find a setting...
  • Blog Post: Group Protected PFX

    A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported PFX files (those in PKCS#12) to Active Directory Domain Services (AD DS) accounts. The feature is available only if you have a Windows Server 2012 domain controller deployed in your network. The TechNet...