New AD CS doc: Migrating a Certification Authority from a CSP to a KSP

Just published: Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP) – and optionally, migrating from SHA-1 to SHA-2. If you have a CA that you installed and configured a while ago and you're now able to implement these stronger security options, use this how-to and verification…



I was recently alerted to the situation that not all of our Microsoft customers have adjusted their language based on the new branding of Active Directory to include more than just Active Directory Domain Services. For example, people might just be searching for Certificate Services, when we now call it internally Active Directory Certificate Services….


Incompatibilities with CNG or V3 templates

If you have heard of Certificates Next Generation (silly name, I know), which is why people call them V3 templates at Microsoft most of the time, then you might wonder or already know that there could be some compatibility issues – the same is true for all “new” things. Just like my new office power…

Troubleshooting Certificate Autoenrollment field notes posted on TechNet Wiki

If you have trouble with Certificate Autoenrollment or have ever had issues troubleshooting certificate autoenrollment in Active Directory Certificate Services (AD CS), take a look at the notes compiled by Roger Grimes and turned into a TechNet Wiki article: Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services. Tags: troubleshooting certificate services,autoenrollment,resolve autoenrollment,troubleshoot autoenrollment

Why do people use offline root certification authorities?

To get the answer to that and other questions, like “How do I patch an offline root CA?” see the new TechNet Wiki article Offline Root Certification Authority (CA). Tags: certification authority,CA,AD CS,Active Directory Certificate Services,PKI Design,offline root CA,CA hierarchy,CA design,AD CS design