Manually importing keys into a smart card

Have you thought about moving a certificate including its (exportable) keys from a user’s profile into a smart card? There are three simple steps required to do this if the Microsoft Base Smart Card Crypto Service Provider is available on a computer.   1.    As the first step, two registry keys must be modified to…


How to decode Windows errors

Many Windows error messages provide a hexadecimal error code, for example 0x8007267C. This code can provide helpful information. But how to translate it into a readable error message?   At least two commands can be used to decode an error code:   ·         certutil -error [Code] ·         err.exe [Code]   For example certutil -error 0x8007267C…

How to refresh the CRL cache on Windows Vista

By default, Windows is caching Certificate Revocation Lists (CRL) and CA certificates to quickly verify certificate chains. The downside of this behavior is that a newer CRL is not picked up by the client until the locally cached CRL has expired.   Windows versions before Windows Vista do not support deletion or a forced update…


Windows PKI documentation reference

Note: This post is not updated anymore since May 2010. The new PKI reference page is a WIKI page. We have a broad list of documentation for the Windows PKI. To let you find the right content quicker, I have put together a grouped list of the current papers, knowledge base articles and web casts…


How to re-install the default certificate templates?

  When you launch the certificate templates MMC snap-in (certtmpl.msc) for the first time, the certificate templates are installed automatically in the background. Installing the templates is independent of the availability of an enterprise CA. Enterprise Administrator permissions are required to successfully install the templates. That’s nice and convenient but what happens if you accidentally…


Marking private keys as non-exportable with certutil -importpfx

When importing a PFX-file with the certificate import wizard, you can choose if the private key should be exportable or not. Your choice is stored in the key storage property identifier that is key-storage specific. In other words, there is no information in the certificate about the exportability of the related private key. It is…


Credential Roaming Hot Fix Available

If you have you already deployed Credential Roaming (see the whitepaper or webcast) or if you have plans to do so, you should be very aware of a new knowledgebase article because the size of your Active Directory might grow unnecessarily. Refer to knowledgebase article 934797 for more information.

The missing EDIT button in the CA properties extensions tab

To adjust the CRL and AIA distribution point there are at least three choices to do it. The most familiar way to change the distribution point might be through the CA MMC user interface. The second way is to directly change the registry key CACertPublicationURLs or CRLPublicationURLs with regedit.exe. Alternatively, you can use certutil -setreg to…

A simple way to set the certutil -config option

When you are performing an operation on a remote CA, certutil requires the config string as input parameter. The common way to find out the config string is to run a certutil -dump command, list all available CAs in the Active Directory forest and copy/past the config parameter from the dump into the new command-line….


Manually publishing a CA certificate or CRL into a LDAP store

The CA is automatically publishing its own certificates and related CRLs into Active Directory if a LDAP reference is configured in the CA property “Extensions”. If you are using a different LDAP server (such as Microsoft ADAM) to make the CA certificate and CRL available, certificates and CRLs must be published manually. The easiest way…