New AD CS doc: Migrating a Certification Authority from a CSP to a KSP

Just published: Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) – and optionally, migrating from SHA-1 to SHA-2. If you have a CA that you installed and configured a while ago and you're now able to implement these stronger security options, use this how-to and verification…


Deploying Active Directory Certificate Services (AD CS) PKI two-tier hierarchy

When I was first learning about Active Directory Certificate Services (AD CS), a colleague told me that I should search on Step-by-Step Guide with AD CS. He was right, that was a good place to get started. Starting with Windows Server 2008 R2, the Test Lab Guide concept was introduced. So, if you want to…



I was recently alerted to the situation that not all of our Microsoft customers have adjusted their language based on the new branding of Active Directory to include more than just Active Directory Domain Services. For example, people might just be searching for Certificate Services, when we now call it internally Active Directory Certificate Services….


Updates just posted to Active Directory Certificate Services (AD CS) documentation

A few updates were just posted, so I am putting out an FYI post. I should do this more often, so I will! Anyways, here goes: 1. Slowly, but surely, the AD CS documentation is being consolidated into a single download center page: Active Directory Certificate Services (AD CS) Further, you can actually go…


Troubleshooting Certificate Autoenrollment field notes posted on TechNet Wiki

If you have trouble with Certificate Autoenrollment or have ever had issues troubleshooting certificate autoenrollment in Active Directory Certificate Services (AD CS), take a look at the notes compiled by Roger Grimes and turned into a TechNet Wiki article: Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services. Tags: troubleshooting certificate services,autoenrollment,resolve autoenrollment,troubleshoot autoenrollment


Why do people use offline root certification authorities?

To get the answer to that and other questions, like “How do I patch an offline root CA?” see the new TechNet Wiki article Offline Root Certification Authority (CA). Tags: certification authority,CA,AD CS,Active Directory Certificate Services,PKI Design,offline root CA,CA hierarchy,CA design,AD CS design