The Internet Information Server (IIS) and Microsoft Internet Security and Acceleration (ISA) provide wizards in the administration user interface to request and install SSL certificates. With this blog post I want to explain how to request a SSL server...

I came across two valuable blog posts from my co-worker Morello. The articles have been posted to the Windows Server Customer engineering blog – check them out! CRL freshness checking scripts To Cluster or Not to Cluster CAs

Strong key protection is one of the most misunderstood features in Windows security. In this post I will attempt to demystify it. I will also try to address some of the misconceptions about this feature that I’ve come across on the security discussion...

The TechNet Magazine released a new article about the PKI Enhancements in Windows 7 and Windows Server 2008 R2 in the May 2009 issue.

Back in the year 2003 we have published information about the CA performance and how it is impacted by various factors. The TechNet article is called Evaluating CA Capacity, Performance, and Scalability and is more or less still valid. You may transform...

Attending TechEd 2009 next week? If you or your customers are around on Monday 5/11, I (objectively) recommend attendance at the “ PKI in a Web Services World ” breakout session from 2:45-4PM in room 408A. This session is our first public breakout for...

A co-worker posted an interesting blog about configuring the Windows Server 2008 CA Web Enrollment proxy at http://blogs.technet.com/askds/archive/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy.aspx .

I'm happy to announce the availability of the Suite B PKI in Windows Server 2008 whitepaper. The paper was written to provide information that could benefit those looking to implement strict Suite B cryptographic functionality within their own PKI deployments...

A few days ago I worked in a test environment that also consists of a PKI. I used the Microsoft Terminal Services Client (mstsc.msc) for a while to connect to various machines in the test environment. One day, I helped a coworker troubleshooting a certificate...

Until Windows Server 2008 shipped, every Domain Controller had a readable and writable copy of the Active Directory schema, domain naming context and configuration naming context. This statement changed when we introduced the Read Only Domain Controller...

I am excited to announce the public availability of the Cross-forest Certificate Enrollment with Windows Server 2008 R2 whitepaper. The product team worked hard to make this breakthrough functionality happen in Windows Server 2008 R2 . Now is the time...

Today I want to comment on the quite popular Microsoft Knowledgebase article How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server . I am referring...

Those of you who are interested in biometrics should look at the following documents: Introduction to the Windows Biometric Framework (WBF) New Windows Biometric Framework and Driver Model Windows 7 Beta WDK

Consider that you are sending an encrypted eMail to a recipient who has multiple certificates stored in Active Directory. The key question is: Which certificates are selected by Outlook 2003/2007? When sending an encrypted eMail, Outlook actually requires...

The friendly name of a certificate can be helpful if multiple certificates with a similar subject exist in a certificate store. One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following...

When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate attributes is included. This blog entry explains how to eliminate attributes that would go into the CA certificate request by default. Imagine that you are setting...

Windows Vista and Windows Server 2008 have a convenient user interface to create custom certificate requests. This is especially helpful since computer certificate enrollment through the web enrollment pages was discontinued from Windows Server 2008 and...

A while ago I explained how to determine all certificates that will expire within a given period. Now I’d like to explain how to query the CA database based on certificate or request disposition. The disposition ID’s are defined in the certsrv.h include...

You may be interested in one of our upcoming sessions that is focused on PKI design and is available for registration here: http://blogs.technet.com/mcstalks/archive/2008/09/02/session-4-details-security-and-pki-registration-now-available.aspx

Technically, it is possible to install an enterprise CA on a Windows Server Standard edition. With this configuration, enterprise features of the certification authority are intentionally not available. To enable the CA enterprise features, it is required...

The validity time of a certificate revocation list (CRL) is critical for every public key infrastructure. By default, most applications verify the validity of certificates against a CRL. Two CRL types exist: base CRLs and delta CRLs. In case where...

This blog-entry has two purposes: 1) make you aware of the two new whitepapers that have been just released: Active Directory Certificate Services Upgrade and Migration Guide Configuring and Troubleshooting Certification Authority Clustering in Windows...

Woudn't it be interesting for the CA admin to know which certificates are expiring in the near future? If autoenrollment is not eanbled, certificate users should be informed in advance before they actually loose functionality. A simple certutil command...

If delta CRLs are hosted on a Windows Server 2008 server running Internet Information Server 7 (II7), the configuration of a request filter must be changed in the IIS7 configuration. IIS7.0 does not allow URI’s that do not match upon double escaping...

It came to our attention that the Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure whitepaper provides wrong guidance in section Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File...