UPDATE (2/8): Based on some recent questions, additional information has been posted about SHA2 and Windows. Introduction We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows XP and 2003. This has been more important recently, as NIST has recommended the migration off of SHA-1 by end…
Year: 2010
Active Directory Certificate Services Monitoring Management Pack
A new version of the Certificate Services Monitoring Management Pack became available. Get more information from the Management Pack Catalog or the Microsoft Download Center.
Microsoft Certificate Server virtualization policy
If you are unsure regarding the Microsoft Certificate server virtualization policy, just see the Microsoft Virtual Server support policy knowledgebase article at http://support.microsoft.com/kb/897613. It is worth to mention that a hardware security module (HSM) is always recommended when operating a certification authority on a virtual Windows Server. The rational behind this recommendation is quite simple:…
Backing up Windows Server 2008 ADCS CA Keys
[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 – http://support.microsoft.com/kb/2603469 Backing up a Windows Server 2008 (Including 2008 R2) Certification Authority (ADCS) involves a few extra steps compared to earlier…
Firewall Rules for Active Directory Certificate Services
Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment The information was developed by Microsoft Consultant Services during one of our customer engagements Protocol Port From To Action Comments Kerberos 464 Certificate Enrollment Web Services Domain Controllers…
Design Considerations before Building a Two Tier PKI Infrastructure
Environmental Dependencies: 1- Determine if the Active Directory Forest has Windows 2000 Domain Controllers. This is important because of modifications to the CertPublishers group scope, and permissions related to the AdminSDHolder role. These permissions can be added by using the Dsacls command. 2- Determine if the Active Directory Schema was upgraded to at least Windows…
Certificate Path Validation in Bridge CA and Cross-Certification Environments
Recently, we’ve had a deluge of questions regarding chain building and selection, especially in the presence of cross-certified certificates. Hopefully, this post will make Crypto API 2 (CAPI2) chaining logic clearer and help enterprise admins design and troubleshoot their public key infrastructure. While trying to validate an end entity, CAPI2 tries to select the best quality…
Powershell CRL Copy
This script writes a Certification Authority’s Certificate Revocation List to HTTP based CRL Distribution Points via a UNC path. It checks to make sure that the copy was successful and that the CDPs have not and are not about to expire. Alerts/status messages are sent via SMTP and eventlog entries. Performs the following steps: Determines…
How to Request a Certificate With a Custom Subject Alternative Name
Today many servers require some sort of SSL certificate to be deployed and in many cases custom names are involved. My colleague just published a document How to Request a Certificate With a Custom Subject Alternative Name that I strongly recommend reading.
Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
Introduction: When designing a public key infrastructure (PKI) for your organization, you must develop an effective disaster recovery plan to ensure that, in the event of failure of the computer hosting Certificate Services, you can recover in a timely manner with little effect on your organization. Common Reasons that Make a Disaster Recovery Plan…