SHA2 and Windows

UPDATE (2/8):  Based on some recent questions, additional information has been posted about SHA2 and Windows. Introduction We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows XP and 2003. This has been more important recently, as NIST has recommended the migration off of SHA-1 by end…

47

Microsoft Certificate Server virtualization policy

If you are unsure regarding the Microsoft Certificate server virtualization policy, just see the Microsoft Virtual Server support policy knowledgebase article at http://support.microsoft.com/kb/897613. It is worth to mention that a hardware security module (HSM) is always recommended when operating a certification authority on a virtual Windows Server. The rational behind this recommendation is quite simple:…

2

Backing up Windows Server 2008 ADCS CA Keys

[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 – http://support.microsoft.com/kb/2603469     Backing up a Windows Server 2008 (Including 2008 R2) Certification Authority (ADCS) involves a few extra steps compared to earlier…

8

Firewall Rules for Active Directory Certificate Services

   Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment  The information was developed by Microsoft Consultant Services during one of our customer engagements Protocol Port From To Action Comments Kerberos 464 Certificate Enrollment Web Services     Domain Controllers…

16

Design Considerations before Building a Two Tier PKI Infrastructure

Environmental Dependencies:  1- Determine if the Active Directory Forest has Windows 2000 Domain Controllers. This is important because of modifications to the CertPublishers group scope, and permissions related to the AdminSDHolder role. These permissions can be added by using the Dsacls command. 2- Determine if the Active Directory Schema was upgraded to at least Windows…

7

Certificate Path Validation in Bridge CA and Cross-Certification Environments

Recently, we’ve had a deluge of questions regarding chain building and selection, especially in the presence of cross-certified certificates. Hopefully, this post will make Crypto API 2 (CAPI2) chaining logic clearer and help enterprise admins design and troubleshoot their public key infrastructure. While trying to validate an end entity, CAPI2 tries to select the best quality…

5

Powershell CRL Copy

This script writes a Certification Authority’s Certificate Revocation List to HTTP based CRL Distribution Points via a UNC path. It checks to make sure that the copy was successful and that the CDPs have not and are not about to expire. Alerts/status messages are sent via SMTP and eventlog entries. Performs the following steps: Determines…

7

Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

  Introduction: When designing a public key infrastructure (PKI) for your organization, you must develop an effective disaster recovery plan to ensure that, in the event of failure of the computer hosting Certificate Services, you can recover in a timely manner with little effect on your organization. Common Reasons that Make a Disaster Recovery Plan…

29