Constraints: what they are and how they’re used

Hey everyone this is Wes Hammond from Premier Field Engineering and I wanted to share with you some info that I have gathered about setting up constraints. What are Constraints? Constraints are used to restrict certificate authorities that you DO NOT TRUST that are part of your chain.  They come in the form of rules…

8

A novel method in IE11 for dealing with fraudulent digital certificates

Digital certificates are a key mechanism for establishing identity on the Internet. Trust in these certificates is a result of trusting the issuing entity – the Certification Authority (CA). Unfortunately, as a result of a number of CA related incidents over the past few years, that trust has been somewhat undermined. A number of approaches…

16

[CrossPost] Microsoft PKI OCSP Responder Now JITC Certified and Lab Setup Guide

For those that missed the big news on the Ask Premier Field Engineering (PFE) Platforms blog, our OCSP responder is now JITC certified.  This certification is important for customers looking to deploy our OCSP responder in US DoD environments.  Jesse Esquivel posted a really excellent explanation, and a lab guide to help folks get started…


Upgrade Certification Authority to SHA256

A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 and higher operating systems, as a result,an upgrade to the operating system is required. After upgrading the certification authority’s operating system, you…

27

Renew Web Server (SSL) Certificates Automatically

Working with Internet Information Services (IIS) certificates can be a bit challenging especially during renewal time. Most organizations do not track Web SSL certificates which in turn might expire and cause an unplanned outage. Those who track this information on the other hand, have to make sure certificate are renewed before their expiration period or…

17

Windows PowerShell CRL Copy v2 posted to the gallery

Paul Fox has uploaded a revision of his former Windows PowerShell CRL Copy script. The new script is posted at the TechNet Gallery as Windows PowerShell Copy 2. The Windows PowerShell script monitors the remaining lifetime of a CRL, publishes a CRL to a UNC and\or NTFS location and sends notifications via SMTP and the Event Log.


PKI Library (PKI Documentation and Reference Library Updated)

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library. I also created a vanity short URL to it https://aka.ms/pkilibrary. Finding all our different information on AD CS and PKI can be challenging, so this reorganization will hopefully help you. If you see articles missing, broken links, or have suggestions -…


Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private key, certificate database, logs and the certification authority’s registry configuration. Windows Server Backup Feature should be installed on the certification authority…

5

Certutil and Certreq

I have consolidated and updated two command line utilities recently: Certreq Certutil I took all the older links that I could find and pointed them to the locations above and then pointed out to the examples that we have already. Feel free to give me feedback on these consolidated documents. Thanks!  


Query for Advanced CA Configuration Options

It is very common to check the configuration of any certification authority using certutil –getreg command. The command will allow a CA administrator to view the configured settings at a glance.      But what if you need to configure advanced settings on your CA? How can you find a setting required for your compliance…

3