Outlook S/MIME certificate selection

Consider that you are sending an encrypted eMail to a recipient who has multiple certificates stored in Active Directory. The key question is: Which certificates are selected by Outlook 2003/2007? When sending an encrypted eMail, Outlook actually requires two certificates. One certificate is owned by the recipient and one is owned by the sender. The…


Defining the friendly name certificate property

The friendly name of a certificate can be helpful if multiple certificates with a similar subject exist in a certificate store. One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way: Open Notepad and past the following text into the editor [Version]Signature =…


Suppressing certificate attributes in a CA certificate request

When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate attributes is included. This blog entry explains how to eliminate attributes that would go into the CA certificate request by default. Imagine that you are setting up a new subordinate CA where the parent CA is a non Windows CA….


Creating offline certificate requests through the user-interface on Windows Vista or Windows Server 2008

Windows Vista and Windows Server 2008 have a convenient user interface to create custom certificate requests. This is especially helpful since computer certificate enrollment through the web enrollment pages was discontinued from Windows Server 2008 and on. If you want to create a custom certificate request, perform the following steps: 1. Start the Certificates MMC…


Disposition values for certutil –view –restrict (and some creative samples)

A while ago I explained how to determine all certificates that will expire within a given period. Now I’d like to explain how to query the CA database based on certificate or request disposition. The disposition ID’s are defined in the certsrv.h include file in the Windows SDK. The following two tables show the disposition…


You cannot add V2 or V3 templates after an inplace upgrade was performed on a Windows Server 2008 enterprise CA

Technically, it is possible to install an enterprise CA on a Windows Server Standard edition. With this configuration, enterprise features of the certification authority are intentionally not available. To enable the CA enterprise features, it is required to upgrade a Windows Server from Standard to Enterprise edition. To keep the existing enterprise CA configuration, it…


How EffectiveDate (thisupdate), NextUpdate and NextCRLPublish are calculated

The validity time of a certificate revocation list (CRL) is critical for every public key infrastructure. By default, most applications verify the validity of certificates against a CRL. Two CRL types exist: base CRLs and delta CRLs. In case where no delta CRL is used, certificates are treated as invalid if the base CRL is…


New whitepapers about Windows Server 2008 Certificate Services

This blog-entry has two purposes: 1) make you aware of the two new whitepapers that have been just released: Active Directory Certificate Services Upgrade and Migration Guide Configuring and Troubleshooting Certification Authority Clustering in Windows Server 2008 2) provide you a feedback channel. If you have comments about these two papers or any other PKI…


How to determine all certificates that will expire within 30 days

Woudn’t it be interesting for the CA admin to know which certificates are expiring in the near future? If autoenrollment is not eanbled, certificate users should be informed in advance before they actually loose functionality. A simple certutil command enables the CA admin to generate a list with all expiring certificates: certutil –view –restrict “NotAfter<=May…