Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Sample Code: End-to-End Certificate Transparency requests on ADCS CA

Hello all, Tochi Ezebube here again from the Active Directory Certificate Services engineering team....

Author: Tochi E Date: 12/12/2018

How will Certificate Transparency affect existing Active Directory Certificate Services environments?

Wes Hammond here from Premier Field Engineering.  It has been a while since I posted anything, but I...

Author: WesH [MSFT] Date: 03/12/2018

[CrossPost ] HTTPS Inspection and your PKI

Hey Everyone, A little while back I posted this article to my own personal blog and it is getting...

Author: WesH [MSFT] Date: 02/24/2017

How to write an NDES policy module

Hi there! This is Tochi Ezebube with the Active Directory Certificate Services (ADCS) engineering...

Author: Tochi E Date: 11/30/2016

[CrossPost] SHA1 Deprecation Policy

Update: This page has been removed.  For the most up to date information on the Microsoft SHA1...

Author: Amerk [MSFT] Date: 10/19/2015

[CrossPost] Implementing SHA-2 in Active Directory Certificate Services

A fellow engineer at Microsoft, Roger Grimes, has published a great article on Implementing SHA-2 in...

Author: WesH [MSFT] Date: 07/24/2015

Setting up NDES using a Group Managed Service Account (gMSA)

Setting up NDES using a Group Managed Service Account (gMSA) Hallo everybody, this is Andy and...

Author: Dagmar_Heidecker Date: 04/26/2015

Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 3: Key Attestation

Hey Everyone, I am back with the last part of this 3 of this series on TPM protected certificates....

Author: WesH [MSFT] Date: 09/08/2014

Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 2: Virtual Smart Cards

Hey Everyone, I am back with part 2 of this 3 part series on TPM protected certificates. The topics...

Author: WesH [MSFT] Date: 07/15/2014

Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 1: Microsoft Platform Crypto Provider

Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned...

Author: WesH [MSFT] Date: 06/05/2014

Windows Server 2012 R2/IIS8.5 - Automatic Rebind of Renewed Certificates

Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog...

Author: Amerk [MSFT] Date: 04/28/2014

Constraints: what they are and how they’re used

Hey everyone this is Wes Hammond from Premier Field Engineering and I wanted to share with you some...

Author: Amerk [MSFT] Date: 03/05/2014

A novel method in IE11 for dealing with fraudulent digital certificates

Digital certificates are a key mechanism for establishing identity on the Internet. Trust in these...

Author: Saboori Anoosh Date: 02/21/2014

[CrossPost] Microsoft PKI OCSP Responder Now JITC Certified and Lab Setup Guide

For those that missed the big news on the Ask Premier Field Engineering (PFE) Platforms blog, our...

Author: Adam Stasiniewicz Date: 01/08/2014

Upgrade Certification Authority to SHA256

A common question in the field is about upgrading a certification authority running on Windows...

Author: Amerk [MSFT] Date: 09/19/2013

Renew Web Server (SSL) Certificates Automatically

Working with Internet Information Services (IIS) certificates can be a bit challenging especially...

Author: Amerk [MSFT] Date: 08/27/2013

Paul Fox has uploaded a revision of his former Windows PowerShell CRL Copy script. The new script is...

Author: Kurt L Hudson MSFT Date: 05/08/2013

PKI Library (PKI Documentation and Reference Library Updated)

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library. I also...

Author: Kurt L Hudson MSFT Date: 03/22/2013

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System...

Author: Amerk [MSFT] Date: 03/21/2013

Certutil and Certreq

I have consolidated and updated two command line utilities recently: Certreq Certutil I took all the...

Author: Kurt L Hudson MSFT Date: 03/08/2013

Query for Advanced CA Configuration Options

It is very common to check the configuration of any certification authority using certutil...

Author: Amerk [MSFT] Date: 12/27/2012

Viewing Expired Certificate Revocation List (CRL)

Many customers must perform a regulatory audit annually to comply with industry standards and...

Author: Amerk [MSFT] Date: 12/20/2012

Certificate for WinRT devices and non-domain member devices

Hi there, I am a test engineer in the Windows team working on certificate enrollment related areas....

Author: Chunhua Chen Date: 12/10/2012

Group Protected PFX

A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported...

Author: Kurt L Hudson MSFT Date: 10/08/2012

Blocking RSA keys less than 1024 bits (part 3)

Microsoft released a security advisory, KB article, and software update for all supported versions...

Author: Kurt L Hudson MSFT Date: 08/14/2012

Blocking RSA Keys less than 1024 bits (part 2)

On August 14, 2012, Microsoft will issue a critical non-security update (KB 2661254) for Windows XP,...

Author: Kurt L Hudson MSFT Date: 07/13/2012

How to determine if a smart card was used for logon

Fabian Müller, Premier Field Engineer (PFE) in Germany, just wrote a detailed article...

Author: Kurt L Hudson MSFT Date: 06/18/2012

RSA keys under 1024 bits are blocked

Public key based cryptographic algorithms strength is determined based on the time taken to derive...

Author: Kurt L Hudson MSFT Date: 06/11/2012

Announcing the automated updater of untrustworthy certificates and keys

There are a number of known untrusted certificates and compromised keys that have been issued by...

Author: Kurt L Hudson MSFT Date: 06/11/2012

Request File Can’t be Located during CA Certificate Renewal

During my work with a customer renewing their Issuing CA’s certificate based on the steps...

Author: Amerk [MSFT] Date: 05/29/2012

Visual Basic for Applications and SHA2

I was recently helping a customer deploy a SHA-256 based PKI. As part of the retirement of their old...

Author: Adam Stasiniewicz Date: 05/03/2012

Best Practice for Configuring Certificate Template Cryptography

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers...

Author: Kurt L Hudson MSFT Date: 04/27/2012

Network Device Enrollment Service (NDES) now on the TechNet Wiki

The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have...

Author: Kurt L Hudson MSFT Date: 04/18/2012

Offline CA articles posted to the TechNet Wiki

Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based...

Author: Kurt L Hudson MSFT Date: 03/18/2012

HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory...

Author: Kurt L Hudson MSFT Date: 03/14/2012

Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

Important notice: Microsoft does not support any apple products, if you need to troubleshoot any...

Author: Amerk [MSFT] Date: 02/27/2012

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the...

Author: Amerk [MSFT] Date: 01/27/2012

EFS Certificates may be recovered as CNG certificates when CAPI CSP is required

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key...

Author: Kurt L Hudson MSFT Date: 01/23/2012

Windows PowerShell script for Setting up a CA on Windows Server 2008 and Windows Server 2008 R2

Microsoft MVP, Vadims Podans, has written and posted a Windows PowerShell script that can be used to...

Author: Kurt L Hudson MSFT Date: 12/08/2011

Key Recovery vs Data Recovery Differences

I am often asked when talking to my customers about the differences between Key Recovery and Data...

Author: Amerk [MSFT] Date: 10/28/2011

The Windows KB article 889250 titled "How to decommission a Windows enterprise certification...

Author: Kurt L Hudson MSFT Date: 10/07/2011

Does Enterprise PKI (PKIVIEW) support OCSP?

A common question from certification authority administrators is "Does Enterprise PKI (PKIView)...

Author: Kurt L Hudson MSFT Date: 10/07/2011

Updated requirements for a Windows Server 2008 R2 domain controller certificate from a 3rd party CA

Ingolfur has written a blog post as well as a TechNet Wiki article describing how a Windows Server...

Author: Kurt L Hudson MSFT Date: 09/28/2011

Windows 8 Developer Preview and AD CS / PKI: Cannot Get a Certificate from Web

If you are using Windows Developer Preview and have difficulty obtaining or downloading a...

Author: Kurt L Hudson MSFT Date: 09/14/2011

Internet Explorer 9 and Certificate Enrollment using Certificate Authority Web Enrollment

If you run into an issue where you are unable to download or save certificates using Internet...

Author: Kurt L Hudson MSFT Date: 08/18/2011

Active Directory Certificate Services Frequently Asked Questions - needs your help!

If you have commonly asked questions about certificate services or PKI that you think should be...

Author: Kurt L Hudson MSFT Date: 08/08/2011

AD CS Content Updates

The following documentation updates have been recently made: AD CS: Deploying Cross-forest...

Author: Kurt L Hudson MSFT Date: 08/03/2011

Important Security Update for Windows Server: Active Directory Certificate Services Web Enrollment!

An important security update, described in MS11-051 (https://go.microsoft.com/fwlink/?LinkId=217101)...

Author: Kurt L Hudson MSFT Date: 06/14/2011

Implementing LDAPS (LDAP over SSL)

LDAP over SSL (LDAPS) is becoming an increasingly hot topic - perhaps it is because Event Viewer ID...

Author: Kurt L Hudson MSFT Date: 06/02/2011

Deployment of the new Federal Common Policy CA Root Certificate

Background On December 1, 2010 the Federal PKI Management Authority (FPKIMA), in compliance with...

Author: MS2065 [MSFT] Date: 03/13/2011

Next>