How will Certificate Transparency affect existing Active Directory Certificate Services environments?

Wes Hammond here from Premier Field Engineering.  It has been a while since I posted anything, but I wanted to step back into the spotlight to talk a little bit about something a few customers have been asking about lately.  How will Certificate Transparency affect their Active Directory Certificate Services environments?  Well, here are your…

2

[CrossPost ] HTTPS Inspection and your PKI

Hey Everyone, A little while back I posted this article to my own personal blog and it is getting some traction but it might get more here so I wanted to share it as these questions come up all the time.  I hope you enjoy it. https://blogs.technet.microsoft.com/crypto/2016/01/27/https-inspection-and-your-pki-2/

1

How to write an NDES policy module

Hi there! This is Tochi Ezebube with the Active Directory Certificate Services (ADCS) engineering team; I wanted to share some further details on how to write a custom policy module for the ADCS Network Device Enrollment Service (NDES) in Windows Server 2012 R2 and onwards. Here it is: how-to-write-an-ndes-policy-module. And here’s some general info on policy modules in…

1

[CrossPost] SHA1 Deprecation Policy

Update: This page has been removed.  For the most up to date information on the Microsoft SHA1 deprecation policy please see the links posted below https://blogs.technet.microsoft.com/msrc/2017/02/23/sha-1-collisions-research/ https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#mmogekbBwHWMHGTL.97 https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx

138

[CrossPost] Implementing SHA-2 in Active Directory Certificate Services

A fellow engineer at Microsoft, Roger Grimes, has published a great article on Implementing SHA-2 in ADCS.  You can read it at the link below: http://social.technet.microsoft.com/wiki/contents/articles/31296.implementing-sha-2-in-active-directory-certificate-services.aspx

3

Setting up NDES using a Group Managed Service Account (gMSA)

Setting up NDES using a Group Managed Service Account (gMSA) Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account). When creating a lab on how to implement NDES (Network Device Enrollment Service) on Windows Server 2012…


Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 2: Virtual Smart Cards

Hey Everyone, I am back with part 2 of this 3 part series on TPM protected certificates.  The topics covered in this are related to Virtual Smart Cards, their benefits, and lastly their limitations.  I will also cover how to create a Virtual Smart Cards.  Management of certificates contained on the virtual smart card are…

18

Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 1: Microsoft Platform Crypto Provider

Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This is part one of a three part series that will include the Microsoft Platform Crypto Provider, Virtual Smart Cards, and lastly the…

6

Windows Server 2012 R2/IIS8.5 – Automatic Rebind of Renewed Certificates

Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog about automatic renewal of web site certificates.  The original blog can be found in the references below. IIS 8.5 in Windows Server 2012 R2 includes a new option that allows certificates renewed via Auto Enrollment to rebind…

4