Visual Basic for Applications and SHA2

I was recently helping a customer deploy a SHA-256 based PKI.  As part of the retirement of their old PKI, we reissued the code signing certificates used by their developers.  We found that the Visual Studio 2010 developers had no issue with the new code signing certs, but the Visual Basic of Application developers could…


Best Practice for Configuring Certificate Template Cryptography

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option…


Network Device Enrollment Service (NDES) now on the TechNet Wiki

The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have already made a few updates that were requested. The old download center location has been updated to reflect that we’ve posted to the update to the TechNet Wiki. Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD…


Offline CA articles posted to the TechNet Wiki

Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based on frequently asked questions from customers. These articles posted as: Security Best Practices for Offline CAs and Offline CA Maintenance Tasks Since they are TechNet Wiki articles, you can not only review them, but also help to improve them.


HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory Domains document has just been posted to the download center. The follow-up document demonstrates the increased flexibility of FIPS 201 PIV-II compliant smart cards with Windows Server® 2008 R2 Active Directory, Windows 7 and Office 2010. Included within this document are detailed…


Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

Important notice: Microsoft does not support any apple products, if you need to troubleshoot any problem related to apple products, please refer to http://www.apple.com/support   Warning SCEP was designed to be used in a closed network where all end-points are trusted. The warnings from CERT in the article “Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate…

16

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps: 1- There is a new valid Certification Authority configured 2- There is a new distribution point configured…

45

EFS Certificates may be recovered as CNG certificates when CAPI CSP is required

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate. This default behavior could cause an issue if you are recovering a Rivest, Shamir and Adleman (RSA) key for the Encrypting File…