This document explains the interdependencies between Active Directory Domain Services (AD DS) and Public Key Infrastructure (PKI) related to Homeland Security Presidential Directive 12 (HSPD-12) smart card logon. Topics concerning the Federal PKI Common...

Below are some numbers we have measured when testing the Windows CA in our lab environment. Note that the numbers will change and depends on many factors (network topology, request types, other server workloads, etc.) However, the numbers are a good...

The colleagues from the AskDS blog posted a quite valuable article about Clustered CA maintenance tasks .

The beta version of the new 2008 R2 ADCS Migration Guide is now available at http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx . The guide describes the necessary steps for a successful migration of enterprise or standalone CAs from Windows...

There have been a number of questions about Active Directory (AD) schema requirements for the Windows PKI features so I decided this deserves a blog post. Cheat sheet 1. Version 2 and Version 3 certificate templates require Windows Server 2003 (version...

The following text is a simple copy/paste from the TechNet article How Certificates Work (section How Certificates are Created ). Why am I posting this information to the blog? Quite simple: I recognize that it is often overlooked that the key pair generation...

A whitepaper on Certificate Revocation Checking in Windows Vista and Windows Server 2008 has been publshed on Technet here - http://technet.microsoft.com/en-us/library/ee619730(WS.10).aspx Topics in this whitepaper include: · What’s new in Windows...

On May 9th, 2009 Entrust Managed Services (provider of HSPD-12 certificates) performed a key update ceremony on the Entrust Managed Services Root and SSP certification authorities. HSPD-12 certificates issued after May 9th, 2009 will not work on the Windows...

A new deployment guide was published on Windows7 BranchCache. It covers the PKI requirements for this feature along with other deployment procedures. The full guide can be found here: BranchCache Deployment Guide for Windows Server 2008 R2...

WARNING: USE OF THE SAMPLE CODE PROVIDED IN THIS ARTICLE IS AT YOUR OWN RISK. Microsoft provides this sample code "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and...

In my previous post I provided a script used for setup and installation of a CA using VBScript. The same script is capable of installing a CA on server core, where there is no UI available for installing. With the script and a few possible additional...

Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used...

If you are interested in reading more official Microsoft Team blogs, see http://blogs.technet.com/blogms/pages/directory-of-microsoft-team-blogs.aspx . This page is a great collection of valuable blog information.

The Windows Server 2008 R2 Certificate Enrollment Web Services Whitepaper has been posted to the download center: you can download it here . This is just the initial document release for RTM.  We plan to publish the content to various Technet locations...

I’ve been working with our support folks helping one of our customers. One of the things we wanted to learn about the environment is how many requests have been made for each certificate template that they issue. We have come up with this PowerShell script...

We’ve had many requests for what services and features are available in what Windows Server version and SKU. The TechNet Wiki article Active Directory Certificate Services Overview has this information under Features of AD CS in Different OS...

Subscribe to Vishal’s blog at http://blogs.technet.com/vishalagarwal/ for real good certificate and CA management scripts. More posts to come …

We’ve just updated the Beta version of the cross-forest certificate enrollment white paper. In addition to fixing some of the bugs we had in the previous version, we’ve added sections around supporting selective authentication, enrollment web pages, and...

Here is a great post by one of my colleagues on how to create a self-signed certificate using PowerShell: http://blogs.technet.com/vishalagarwal/archive/2009/08/22/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces.aspx .

Offline templates are certificate templates that require the subject name to be part of the certificate request. The certificate authority will use the subject name supplied in the request as the subject name of the certificate to issue. This is different...

I have just updated this paper. Here is the latest draft: http://go.microsoft.com/fwlink/?LinkID=93875 . In this paper, we cover Network Device Enrollment Service that allows certificate enrollment through the Simple Certificate Enrollment Protocol (...

The Active Directory team has published a new blog post how to configure Extended Validation support for websites using internal certificates .

One of our collegues posted an interesting blog entry on CA scalability testing: http://blogs.technet.com/wincat/archive/2009/08/10/scale-testing-the-world-s-largest-pki-all-running-on-ws08r2-and-hyper-v.aspx . Alex Radutskiy Program Manager, Windows...

The following problem affects a Certification authority running on the 64-bit edition of Windows Server 2008 and Windows Server 2008 R2. The problem does not occur on x86 (32-bit) platform of both operating systems. When installing a subordinate enterprise...

It came to my attention that there is little understanding regarding the relationship between archived private keys and Key Recovery Agent (KRA) certificates. With this blog post I would like to clarify what you can expect from the recovery mechanism...