A common question from certification authority administrators is "Does Enterprise PKI (PKIView) support OCSP?" Yes, the Microsoft Management Console (MMC) Enterprise PKI ( PKIView ), supports the When setting up Certificate Extensions, you must ensure...

Ingolfur has written a blog post as well as a TechNet Wiki article describing how a Windows Server 2008 R2 certification authority (CA) parses certificates, especially those from a third-party (3rd party) non-Microsoft CA. He also covers the Key Distribution...

If you are using Windows Developer Preview and have difficulty obtaining or downloading a certificate using Internet Explorer 10 (IE 10), try using compatibility mode. Turning on Compatibility View is the same in IE10 as in IE9, so you can follow the...

If you run into an issue where you are unable to download or save certificates using Internet Explorer 9 (IE 9) and the Certificate Authority Web Enrollment service of a certification authority, you should be sure to disable the enhanced security option...

If you have commonly asked questions about certificate services or PKI that you think should be listed in the Active Directory Certificate Services Frequently Asked Questions (AD CS FAQ ) list, I encourage you to submit them to the TechNet Wiki posting...

The following documentation updates have been recently made: AD CS: Deploying Cross-forest Certificate Enrollment - updated with a link to the download center version of the document Additional documents added to the "future" consolidated download...

An important security update, described in MS11-051 ( http://go.microsoft.com/fwlink/?LinkId=217101 ) was released today. The update fixes a cross-site scripting vulnerability in the sample web enrollment ASP pages that are part of Active Directory Certificate...

LDAP over SSL (LDAPS) is becoming an increasingly hot topic - perhaps it is because Event Viewer ID 1220 is catching people's attention in the Directory Service Log or just that people are wanting the client to server LDAP communication encrypted. The...

Background On December 1, 2010 the Federal PKI Management Authority (FPKIMA), in compliance with NIST guidance , created a new SHA-256 Federal Common Policy root certification authority. Windows Update will include the new Federal Common Policy Root...

Hi there, this is Larry, Developer from US, and Fabian, PFE from Germany, writing about an uncommon scenario that might raise questions sometimes. When enrolling certificates to clients or users, you might want to have control regarding the initial...

PKIVIEW was first introduced in Windows Server 2003 Resource kit. The tool is installed by default when you install the Windows 2008 Active Directory Certificate Services Role, and had been re-branded as "Enterprise PKI". The tool is implemented as a...

An active member of our community developed a very handy tool to verify - or let's actually say monitor - the validity of SSL server certificates. After downloading and extracting the the ZIP-file the tool is quite self explanatory. Press CTRL+A or click...

Since my last post about SHA2 and Windows I’ve received numerous questions from customers and partners around three particular scenarios. This post will try to address those questions. Windows XP/2003 Enrollment in SHA2 Signed Certificates...

UPDATE (2/8): Based on some recent questions, additional information has been posted about SHA2 and Windows. Introduction We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows...

A new version of the Certificate Services Monitoring Management Pack became available. Get more information from the Management Pack Catalog or the Microsoft Download Center .

If you are unsure regarding the Microsoft Certificate server virtualization policy, just see the Microsoft Virtual Server support policy knowledgebase article at http://support.microsoft.com/kb/897613 . It is worth to mention that a hardware security...

[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. S ystem state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 - http://support.microsoft.com/kb/2603469 Backing up a Windows...

Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment The information was developed by Microsoft Consultant Services during one of our customer engagements ...

Environmental Dependencies: 1- Determine if the Active Directory Forest has Windows 2000 Domain Controllers. This is important because of modifications to the CertPublishers group scope, and permissions related to the AdminSDHolder role. These permissions...

Recently, we’ve had a deluge of questions regarding chain building and selection, especially in the presence of cross-certified certificates. Hopefully, this post will make Crypto API 2 (CAPI2) chaining logic clearer and help enterprise admins design and troubleshoot their public key infrastructure....

This script writes a Certification Authority's Certificate Revocation List to HTTP based CRL Distribution Points via a UNC path. It checks to make sure that the copy was successful and that the CDPs have not and are not about to expire. Alerts/status...

Today many servers require some sort of SSL certificate to be deployed and in many cases custom names are involved. My colleague just published a document How to Request a Certificate With a Custom Subject Alternative Name that I strongly recommend reading...

Introduction: When designing a public key infrastructure (PKI) for your organization, you must develop an effective disaster recovery plan to ensure that, in the event of failure of the computer hosting Certificate Services, you can recover in a timely...

The official version of the new 2008 R2 ADCS Migration Guide is now available at http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx . The guide describes the necessary steps for a successful migration of both enterprise and standalone...

There are two types of certification authorities: Standalone and Enterprise. Only Enterprise certification authorities have been tested for clustered installations. A very short but may be important statement.