Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough...

UPDATE (2/8): Based on some recent questions, additional information has been posted about SHA2 and Windows. Introduction We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows...

The Internet Information Server (IIS) and Microsoft Internet Security and Acceleration (ISA) provide wizards in the administration user interface to request and install SSL certificates. With this blog post I want to explain how to request a SSL server...

I want to start this blog with a very basic topic: CRL checking. In the past we have documented a lot about CRL checking but I am still seeing that people have difficulties to verify if a certificate is valid or not. We have two whitepapers about CRL...

Important notice : Microsoft does not support any apple products, if you need to troubleshoot any problem related to apple products, please refer to http://www.apple.com/support I am often asked by customers how to deploy certificates to iPads using...

By default, Windows is caching Certificate Revocation Lists (CRL) and CA certificates to quickly verify certificate chains. The downside of this behavior is that a newer CRL is not picked up by the client until the locally cached CRL has expired. Windows...

Introduction: When designing a public key infrastructure (PKI) for your organization, you must develop an effective disaster recovery plan to ensure that, in the event of failure of the computer hosting Certificate Services, you can recover in a timely...

On August 14, 2012, Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use...

Windows Vista and Windows Server 2008 have a convenient user interface to create custom certificate requests. This is especially helpful since computer certificate enrollment through the web enrollment pages was discontinued from Windows Server 2008 and...

The CA is automatically publishing its own certificates and related CRLs into Active Directory if a LDAP reference is configured in the CA property “Extensions”. If you are using a different LDAP server (such as Microsoft ADAM ) to make the CA certificate...

Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment The information was developed by Microsoft Consultant Services during one of our customer engagements ...

Environmental Dependencies: 1- Determine if the Active Directory Forest has Windows 2000 Domain Controllers. This is important because of modifications to the CertPublishers group scope, and permissions related to the AdminSDHolder role. These permissions...

Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used...

PKIVIEW was first introduced in Windows Server 2003 Resource kit. The tool is installed by default when you install the Windows 2008 Active Directory Certificate Services Role, and had been re-branded as "Enterprise PKI". The tool is implemented as a...

When importing a PFX-file with the certificate import wizard, you can choose if the private key should be exportable or not. Your choice is stored in the key storage property identifier that is key-storage specific. In other words, there is no information...

Strong key protection is one of the most misunderstood features in Windows security. In this post I will attempt to demystify it. I will also try to address some of the misconceptions about this feature that I’ve come across on the security discussion...

Note: This post is not updated anymore since May 2010. The new PKI reference page is a WIKI page . We have a broad list of documentation for the Windows PKI. To let you find the right content quicker, I have put together a grouped list of the current...

Consider that you are sending an encrypted eMail to a recipient who has multiple certificates stored in Active Directory. The key question is: Which certificates are selected by Outlook 2003/2007? When sending an encrypted eMail, Outlook actually requires...

Woudn't it be interesting for the CA admin to know which certificates are expiring in the near future? If autoenrollment is not eanbled, certificate users should be informed in advance before they actually loose functionality. A simple certutil command...

LDAP over SSL (LDAPS) is becoming an increasingly hot topic - perhaps it is because Event Viewer ID 1220 is catching people's attention in the Directory Service Log or just that people are wanting the client to server LDAP communication encrypted. The...

Today I want to comment on the quite popular Microsoft Knowledgebase article How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server . I am referring...

Background On December 1, 2010 the Federal PKI Management Authority (FPKIMA), in compliance with NIST guidance , created a new SHA-256 Federal Common Policy root certification authority. Windows Update will include the new Federal Common Policy Root...

The friendly name of a certificate can be helpful if multiple certificates with a similar subject exist in a certificate store. One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following...

The validity time of a certificate revocation list (CRL) is critical for every public key infrastructure. By default, most applications verify the validity of certificates against a CRL. Two CRL types exist: base CRLs and delta CRLs. In case where...

There are a number of known untrusted certificates and compromised keys that have been issued by standard trusted root certification authorities. To help customers avoid interacting with these untrusted or compromised certificates and keys, an Automatic...