Peeling the onion – how many layers should your PKI have?

I‘ve been talking to a colleague who insists a 1-tier PKI infrastructure is better than a 2-tier PKI infrastructure but without providing details on exactly why.  Is it better?  The word „Better“ is fairly meaningless as a quantitative descriptor.  If you‘re talking to someone that uses that word when describing an IT-related subject it probably…


ADCS and dedicated CRL-signing certificates

 We’re seeing what appears to be random revocation checking failures on clients for certificates issued by our CA. The infrastructure is a 2-tier PKI with an OCSP defined on the issuing CA certificate and the CRL from the Root CA signed by a dedicated CRL-signing certificate (i.e. not the issuing cert).  We´ve observed that in cases…


Fiddling with ADFS – end the infinite authentication loop

While working at a customer site the other day I was reminded of an article by Eric Lawrence on why you sometimes start seeing endless pop-up windows asking for credentials when using Fiddler to decrypt HTTPS traffic during troubleshooting. In short; If the web server has Extended Protection for Authentication enabled then it detects that…


Quick inventory of all certificates expiring in the next XX days

A simple command line using Certutil to dump out all issued certificates on the server about to expire in the next 60 days: certutil -view -restrict “NotAfter>now,NotAfter<=now+60,Disposition=20” -out RequestID,RequesterName,Request.CommonName,CommonName,UPN,NotBefore,NotAfter,SerialNumber,CertificateTemplate,CertificateHash   …creative uses: Schedule a monthly task in the Windows Task Scheduler with two Components; the first to generate the list and pipe it to a…


Tweaking ADCS performance

The default settings for ADCS are fine for smaller installations – however, once your CA database goes beyond the toddler stage and starts exceeding a few gigabytes you should consider tweaking a few knobs on it for better performance. Avoid ticking auditing for Startup/Shutdown of the ADCS service (this causes a hashing of the database…


ADCS has become site-aware in Windows Server 2012

One of the largely unheralded big new features of Active Directory Certificate Services is that it can now be configured to be site-aware! This is accomplished by following the detailed steps that are described on the ADCS Wiki link below. The short version is however as follows: set the CA to detect which AD site it is in by running the following…


XP and W2k3 Clients are by default unable to enroll from W2k12 CA servers

RPC Packet-level Authentication is by default turned on in Windows 2012 CA’s. This can also be turned on in W2k8+ but defaults to off there. …..   From When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described…


Installing NDES restarts CertSvc service on target CA server

During the installation of NDES, two certificate templates (“Exchange Enrollment Agent (Offline request)” and “CEP Encryption”) are added to the list of templates that the target CA is allowed to issue certificates from.The registry on the target CA server is also modified to add ‘DeviceSerialNumber’ with the OID to the SubjectTemplate’ list under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SubjectTemplate….


How to get email notifications about expiring certificates from FIM CM 2010

Just stumbled over this great article on how to do this over on the Technet Wiki at Using this example you can have email notifications sent to a mailbox or distribution list to warn about certificates that are about to expire to give the administrators time to renew them ahead of time.   Using the…


How to identify if your ADCS has issued any certificates with public keys <1024 bits (in preparation for KB2661254)

On August 14th October 14th an update will be released that will by default affect chain validation for public keys that are 1023 bits or less – please read and for more details and the MSRC blog on as well as the IE blog on The following certutil command can be run against a Windows…