Peeling the onion – how many layers should your PKI have?

I‘ve been talking to a colleague who insists a 1-tier PKI infrastructure is better than a 2-tier PKI infrastructure but without providing details on exactly why.  Is it better?  The word „Better“ is fairly meaningless as a quantitative descriptor.  If you‘re talking to someone that uses that word when describing an IT-related subject it probably…


Getting FIM CM to inventory all certificate requests made outside of the FIM CM Portal

There’s a neat policy module plug-in called “Support for non-FIM CM certificate requests” that’s available in the latest version of FIM CM 2010 R2 SP1:    After adding this plugin as a custom policy module on the CA you need to do the following: put in the SQL connection string (should already be present in…


Tweaking ADCS performance

The default settings for ADCS are fine for smaller installations – however, once your CA database goes beyond the toddler stage and starts exceeding a few gigabytes you should consider tweaking a few knobs on it for better performance. Avoid ticking auditing for Startup/Shutdown of the ADCS service (this causes a hashing of the database…


ADCS has become site-aware in Windows Server 2012

One of the largely unheralded big new features of Active Directory Certificate Services is that it can now be configured to be site-aware! This is accomplished by following the detailed steps that are described on the ADCS Wiki link below. The short version is however as follows: set the CA to detect which AD site it is in by running the following…


XP and W2k3 Clients are by default unable to enroll from W2k12 CA servers

RPC Packet-level Authentication is by default turned on in Windows 2012 CA’s. This can also be turned on in W2k8+ but defaults to off there. …..   From When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described…


Installing NDES restarts CertSvc service on target CA server

During the installation of NDES, two certificate templates (“Exchange Enrollment Agent (Offline request)” and “CEP Encryption”) are added to the list of templates that the target CA is allowed to issue certificates from.The registry on the target CA server is also modified to add ‘DeviceSerialNumber’ with the OID to the SubjectTemplate’ list under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SubjectTemplate….


How to identify if your ADCS has issued any certificates with public keys <1024 bits (in preparation for KB2661254)

On August 14th October 14th an update will be released that will by default affect chain validation for public keys that are 1023 bits or less – please read and for more details and the MSRC blog on as well as the IE blog on The following certutil command can be run against a Windows…


Quick and dirty inventory of certificate requests on a CA server

For troubleshooting purposes you may find the snippet below useful. It does the following: dumps out all requests that have been made to the CA server limits the output to the things that are most commonly useful for PKI troubleshooting pipe it to a textfile for later consumption  ….note that it *will* churn through your entire…


The certificate template requires too many RA signatures

After copying the default Smartcard Logon or Smartcard User certificate template on a Windows 2008 R2 CA server, the template may not show up as selectable during Enroll on Behalf Of operations such as EOBO smartcard enrollment. Clicking ‘Show all templates’ you may see the following error message for the template: The certificate template requires…


Certificate Enrollment Web Services primers

From  Starting in Windows Server 2008 R2, there is an enrollment protocol that is based on WS-Trust and contains two new role services. These services use HTTP-based messaging over a TLS-encrypted transport and they do not depend solely on the Kerberos protocol for authentication. [Note: Using this for enrollment requires Windows 7 or Windows 2008 R2…