Hey Everyone, A little while back I posted this article to my own personal blog and it is getting some traction but it might get more here so I wanted to share it as these questions come up all the time. I hope you enjoy it. https://blogs.technet.microsoft.com/crypto/2016/01/27/https-inspection-and-your-pki-2/
How to write an NDES policy module
Hi there! This is Tochi Ezebube with the Active Directory Certificate Services (ADCS) engineering team; I wanted to share some further details on how to write a custom policy module for the ADCS Network Device Enrollment Service (NDES) in Windows Server 2012 R2 and onwards. Here it is: how-to-write-an-ndes-policy-module. And here’s some general info on policy modules in…
[CrossPost] SHA1 Deprecation Policy
Update: This page has been removed. For the most up to date information on the Microsoft SHA1 deprecation policy please see the links posted below https://blogs.technet.microsoft.com/msrc/2017/02/23/sha-1-collisions-research/ https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#mmogekbBwHWMHGTL.97 https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx
[CrossPost] Implementing SHA-2 in Active Directory Certificate Services
A fellow engineer at Microsoft, Roger Grimes, has published a great article on Implementing SHA-2 in ADCS. You can read it at the link below: http://social.technet.microsoft.com/wiki/contents/articles/31296.implementing-sha-2-in-active-directory-certificate-services.aspx
Setting up NDES using a Group Managed Service Account (gMSA)
Setting up NDES using a Group Managed Service Account (gMSA) Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account). When creating a lab on how to implement NDES (Network Device Enrollment Service) on Windows Server 2012…
Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 3: Key Attestation
Hey Everyone, I am back with the last part of this 3 of this series on TPM protected certificates. The last topic for this series is on Key Attestation. Recently I have had a few people ask me about the Key Attestation tab in Windows Server 2012 R2. Another person informed me they tried to…
Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 2: Virtual Smart Cards
Hey Everyone, I am back with part 2 of this 3 part series on TPM protected certificates. The topics covered in this are related to Virtual Smart Cards, their benefits, and lastly their limitations. I will also cover how to create a Virtual Smart Cards. Management of certificates contained on the virtual smart card are…
Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 1: Microsoft Platform Crypto Provider
Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This is part one of a three part series that will include the Microsoft Platform Crypto Provider, Virtual Smart Cards, and lastly the…
Windows Server 2012 R2/IIS8.5 - Automatic Rebind of Renewed Certificates
Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog about automatic renewal of web site certificates. The original blog can be found in the references below. IIS 8.5 in Windows Server 2012 R2 includes a new option that allows certificates renewed via Auto Enrollment to rebind…
Constraints: what they are and how they’re used
Hey everyone this is Wes Hammond from Premier Field Engineering and I wanted to share with you some info that I have gathered about setting up constraints. What are Constraints? Constraints are used to restrict certificate authorities that you DO NOT TRUST that are part of your chain. They come in the form of rules…