Windows PowerShell script for Setting up a CA on Windows Server 2008 and Windows Server 2008 R2

Microsoft MVP, Vadims Podans, has written and posted a Windows PowerShell script that can be used to setup a certification authority (CA). He posted his Windows PowerShell Script on the TechNet Script Repository as Setup Certification Authority with PowerShell posted at http://gallery.technet.microsoft.com/scriptcenter/Setup-Certification-bd2aff3e.


Key Recovery vs Data Recovery Differences

I am often asked when talking to my customers about the differences between Key Recovery and Data Recovery for encrypted files, in addition to which method to use. As a result, This Blog will focus on both areas, explaining the differences and best practices. Both methods can easily be understood, after understanding the Encrypting File…

4

How to decommission a Windows enterprise certification authority and how to remove all related objects

The Windows KB article 889250 titled “How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000” has been revised on the TechNet Wiki to include information for Windows Server 2008 and 2008 R2 as article How to Decommission a Windows Enterprise Certification Authority and…


Does Enterprise PKI (PKIVIEW) support OCSP?

A common question from certification authority administrators is “Does Enterprise PKI (PKIView) support OCSP?” Yes, the Microsoft Management Console (MMC) Enterprise PKI (PKIView), supports the  When setting up Certificate Extensions, you must ensure that the Include in the AIA extension of issued certificates is not selected. That option is located in the Extensions tab of…


Updated requirements for a Windows Server 2008 R2 domain controller certificate from a 3rd party CA

Ingolfur has written a blog post as well as a TechNet Wiki article describing how a Windows Server 2008 R2 certification authority (CA) parses certificates, especially those from a third-party (3rd party) non-Microsoft CA. He also covers the Key Distribution Center (KDC) enhanced key usage (EKU) object identifiers (OIDs) and in the blog post KDC event ID…


Windows 8 Developer Preview and AD CS / PKI: Cannot Get a Certificate from Web

If you are using Windows Developer Preview and have difficulty obtaining or downloading a certificate using Internet Explorer 10 (IE 10), try using compatibility mode. Turning on Compatibility View is the same in IE10 as in IE9, so you can follow the instructions at “Why do some web pages look incorrect in Internet Explorer 9?” to make…


Internet Explorer 9 and Certificate Enrollment using Certificate Authority Web Enrollment

If you run into an issue where you are unable to download or save certificates using Internet Explorer 9 (IE 9) and the Certificate Authority Web Enrollment service of a certification authority, you should be sure to disable the enhanced security option of Internet Explorer. See TechNet Wiki article: http://social.technet.microsoft.com/wiki/contents/articles/you-cannot-download-ca-certificate-from-web-enrollment-pages.aspx for more details.


Active Directory Certificate Services Frequently Asked Questions – needs your help!

If you have commonly asked questions about certificate services or PKI that you think should be listed in the Active Directory Certificate Services Frequently Asked Questions (AD CS FAQ) list, I encourage you to submit them to the TechNet Wiki posting http://social.technet.microsoft.com/wiki/contents/articles/ad-cs-faq.aspx. Don’t worry about the formatting, I can clean that up, if needed. Also,…


AD CS Content Updates

The following documentation updates have been recently made: AD CS: Deploying Cross-forest Certificate Enrollment – updated with a link to the download center version of the document Additional documents added to the “future” consolidated download center page for Active DIirectory Certificate Services (AD CS) @ http://go.microsoft.com/fwlink/?LinkId=212919 Note added to Identify a Key Recovery agent to point to…


Important Security Update for Windows Server: Active Directory Certificate Services Web Enrollment!

An important security update, described in MS11-051 (http://go.microsoft.com/fwlink/?LinkId=217101) was released today. The update fixes a cross-site scripting vulnerability in the sample web enrollment ASP pages that are part of Active Directory Certificate Services Web Enrollment in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. Important: Back up any sample web enrollment sample…