Sample Code: End-to-End Certificate Transparency requests on ADCS CA

Hello all, Tochi Ezebube here again from the Active Directory Certificate Services engineering team.   Sometime back, we released support for the precertificate flow of Certificate Transparency v1 (RFC 6962) in Windows Server 2016 (https://support.microsoft.com/en-us/help/4093260/introduction-of-ad-cs-certificate-transparency). For this to work end-to-end, the component submitting the request to the ADCS CA must submit the returned precertificate to…

By Tochi E0

How will Certificate Transparency affect existing Active Directory Certificate Services environments?

Wes Hammond here from Premier Field Engineering.  It has been a while since I posted anything, but I wanted to step back into the spotlight to talk a little bit about something a few customers have been asking about lately.  How will Certificate Transparency affect their Active Directory Certificate Services environments?  Well, here are your…

By WesH [MSFT]2

[CrossPost ] HTTPS Inspection and your PKI

Hey Everyone, A little while back I posted this article to my own personal blog and it is getting some traction but it might get more here so I wanted to share it as these questions come up all the time.  I hope you enjoy it. https://blogs.technet.microsoft.com/crypto/2016/01/27/https-inspection-and-your-pki-2/

By WesH [MSFT]1

How to write an NDES policy module

Hi there! This is Tochi Ezebube with the Active Directory Certificate Services (ADCS) engineering team; I wanted to share some further details on how to write a custom policy module for the ADCS Network Device Enrollment Service (NDES) in Windows Server 2012 R2 and onwards. Here it is: how-to-write-an-ndes-policy-module. And here’s some general info on policy modules in…

By Tochi E1

[CrossPost] SHA1 Deprecation Policy

Update: This page has been removed.  For the most up to date information on the Microsoft SHA1 deprecation policy please see the links posted below https://blogs.technet.microsoft.com/msrc/2017/02/23/sha-1-collisions-research/ https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#mmogekbBwHWMHGTL.97 https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx

By Amerk [MSFT]138

[CrossPost] Implementing SHA-2 in Active Directory Certificate Services

A fellow engineer at Microsoft, Roger Grimes, has published a great article on Implementing SHA-2 in ADCS.  You can read it at the link below: http://social.technet.microsoft.com/wiki/contents/articles/31296.implementing-sha-2-in-active-directory-certificate-services.aspx

By WesH [MSFT]3

Setting up NDES using a Group Managed Service Account (gMSA)

Setting up NDES using a Group Managed Service Account (gMSA) Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account). When creating a lab on how to implement NDES (Network Device Enrollment Service) on Windows Server 2012…

Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 2: Virtual Smart Cards

Hey Everyone, I am back with part 2 of this 3 part series on TPM protected certificates.  The topics covered in this are related to Virtual Smart Cards, their benefits, and lastly their limitations.  I will also cover how to create a Virtual Smart Cards.  Management of certificates contained on the virtual smart card are…

By WesH [MSFT]18

Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 1: Microsoft Platform Crypto Provider

Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This is part one of a three part series that will include the Microsoft Platform Crypto Provider, Virtual Smart Cards, and lastly the…

By WesH [MSFT]6