[CrossPost] SHA1 Deprecation Policy

Update: This page has been removed.  For the most up to date information on the Microsoft SHA1 deprecation policy please see the links posted below https://blogs.technet.microsoft.com/msrc/2017/02/23/sha-1-collisions-research/ https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#mmogekbBwHWMHGTL.97 https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx


RSA keys under 1024 bits are blocked

Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough using the computing power at disposal. The threat landscape continues to evolve.  As such,…

SHA2 and Windows

UPDATE (2/8):  Based on some recent questions, additional information has been posted about SHA2 and Windows. Introduction We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows XP and 2003. This has been more important recently, as NIST has recommended the migration off of SHA-1 by end…


Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps: 1- There is a new valid Certification Authority configured 2- There is a new distribution point configured…


Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)

  Introduction: When designing a public key infrastructure (PKI) for your organization, you must develop an effective disaster recovery plan to ensure that, in the event of failure of the computer hosting Certificate Services, you can recover in a timely manner with little effect on your organization. Common Reasons that Make a Disaster Recovery Plan…


Windows PowerShell CRL Copy v2 posted to the gallery

Paul Fox has uploaded a revision of his former Windows PowerShell CRL Copy script. The new script is posted at the TechNet Gallery as Windows PowerShell Copy 2. The Windows PowerShell script monitors the remaining lifetime of a CRL, publishes a CRL to a UNC and\or NTFS location and sends notifications via SMTP and the Event Log.

Upgrade Certification Authority to SHA256

A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you…


How to create a web server SSL certificate manually

The Internet Information Server (IIS) and Microsoft Internet Security and Acceleration (ISA) provide wizards in the administration user interface to request and install SSL certificates. With this blog post I want to explain how to request a SSL server certificate manually. The manual steps are required if the Certification Authority (CA) is not available in…


What is a strong key protection in Windows?

Strong key protection is one of the most misunderstood features in Windows security. In this post I will attempt to demystify it. I will also try to address some of the misconceptions about this feature that I’ve come across on the security discussion lists and while assisting our support folks. It all starts with Crypto……

Certutil and Certreq

I have consolidated and updated two command line utilities recently: Certreq Certutil I took all the older links that I could find and pointed them to the locations above and then pointed out to the examples that we have already. Feel free to give me feedback on these consolidated documents. Thanks!