Quick and dirty inventory of certificate requests on a CA server

For troubleshooting purposes you may find the snippet below useful. It does the following: dumps out all requests that have been made to the CA server limits the output to the things that are most commonly useful for PKI troubleshooting pipe it to a textfile for later consumption  ….note that it *will* churn through your entire…


Random Kryptonotes

Two separate blog posts to be aware of for anyone interested in cryptography (or Krypto Krap as a former colleague would say).   PKI Team blog: Planned August release on Windows Update will block RSA keys weaker than 1024 bits: http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx   MSRC blog: detailed technical breakdown on the Flame malware, read the external links at…


Sending all mail using a postcard vs. using an envelope to protect it

Problem: Your users aren’t using encryption for their email (for various reasons) but you still want to protect SMTP mail they send over the Internet to avoid it being intercepted enroute. Solution: Implement Exchange 2010 and configure encryption of the mail data at the server level for both servers involved in the transaction. Caveats: This…

1

The certificate template requires too many RA signatures

After copying the default Smartcard Logon or Smartcard User certificate template on a Windows 2008 R2 CA server, the template may not show up as selectable during Enroll on Behalf Of operations such as EOBO smartcard enrollment. Clicking ‘Show all templates’ you may see the following error message for the template: The certificate template requires…

1

CAPI2 Event ID 11 errors on machines that don’t have access to the Internet

See also http://blogs.technet.com/b/instan/archive/2011/09/27/capi2-event-id-11-retake.aspx for further details. Before you start chasing this event – check that you actually have a problem related to it.  In essence this event just means that a caller on the server failed to verify a CRL. By itself it doesn’t mean that the revocation checking failure caused a problem.Whether it does cause a…