Wes Hammond here from Premier Field Engineering. It has been a while since I posted anything, but I wanted to step back into the spotlight to talk a little bit about something a few customers have been asking about lately. How will Certificate Transparency affect their Active Directory Certificate Services environments? Well, here are your…
[CrossPost ] HTTPS Inspection and your PKI
Hey Everyone, A little while back I posted this article to my own personal blog and it is getting some traction but it might get more here so I wanted to share it as these questions come up all the time. I hope you enjoy it. https://blogs.technet.microsoft.com/crypto/2016/01/27/https-inspection-and-your-pki-2/
How to write an NDES policy module
Hi there! This is Tochi Ezebube with the Active Directory Certificate Services (ADCS) engineering team; I wanted to share some further details on how to write a custom policy module for the ADCS Network Device Enrollment Service (NDES) in Windows Server 2012 R2 and onwards. Here it is: how-to-write-an-ndes-policy-module. And here’s some general info on policy modules in…
[CrossPost] SHA1 Deprecation Policy
Update: This page has been removed. For the most up to date information on the Microsoft SHA1 deprecation policy please see the links posted below https://blogs.technet.microsoft.com/msrc/2017/02/23/sha-1-collisions-research/ https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#mmogekbBwHWMHGTL.97 https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx
[CrossPost] Implementing SHA-2 in Active Directory Certificate Services
A fellow engineer at Microsoft, Roger Grimes, has published a great article on Implementing SHA-2 in ADCS. You can read it at the link below: http://social.technet.microsoft.com/wiki/contents/articles/31296.implementing-sha-2-in-active-directory-certificate-services.aspx
Setting up NDES using a Group Managed Service Account (gMSA)
Setting up NDES using a Group Managed Service Account (gMSA) Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account). When creating a lab on how to implement NDES (Network Device Enrollment Service) on Windows Server 2012…
Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 3: Key Attestation
Hey Everyone, I am back with the last part of this 3 of this series on TPM protected certificates. The last topic for this series is on Key Attestation. Recently I have had a few people ask me about the Key Attestation tab in Windows Server 2012 R2. Another person informed me they tried to…
Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 2: Virtual Smart Cards
Hey Everyone, I am back with part 2 of this 3 part series on TPM protected certificates. The topics covered in this are related to Virtual Smart Cards, their benefits, and lastly their limitations. I will also cover how to create a Virtual Smart Cards. Management of certificates contained on the virtual smart card are…
Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 1: Microsoft Platform Crypto Provider
Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This is part one of a three part series that will include the Microsoft Platform Crypto Provider, Virtual Smart Cards, and lastly the…
Windows Server 2012 R2/IIS8.5 – Automatic Rebind of Renewed Certificates
Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog about automatic renewal of web site certificates. The original blog can be found in the references below. IIS 8.5 in Windows Server 2012 R2 includes a new option that allows certificates renewed via Auto Enrollment to rebind…