PKI Library (PKI Documentation and Reference Library Updated)

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library. I also created a vanity short URL to it Finding all our different information on AD CS and PKI can be challenging, so this reorganization will hopefully help you. If you see articles missing, broken links, or have suggestions -…

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps: 1- There is a new valid Certification Authority configured 2- There is a new distribution point configured…


Updated requirements for a Windows Server 2008 R2 domain controller certificate from a 3rd party CA

Ingolfur has written a blog post as well as a TechNet Wiki article describing how a Windows Server 2008 R2 certification authority (CA) parses certificates, especially those from a third-party (3rd party) non-Microsoft CA. He also covers the Key Distribution Center (KDC) enhanced key usage (EKU) object identifiers (OIDs) and in the blog post KDC event ID…

What CA types are supported for clustering?

There are two types of certification authorities: Standalone and Enterprise. Only Enterprise certification authorities have been tested for clustered installations. A very short but may be important statement.


Using VBScript to install CA on WS2008R2 server core

In my previous post I provided a script used for setup and installation of a CA using VBScript. The same script is capable of installing a CA on server core, where there is no UI available for installing. With the script and a few possible additional steps it’s pretty easy to install a CA on…

Automated CA installs using VB script on Windows Server 2008 and 2008R2 [UPDATED]

Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used by the product team in our testing of Certificate Services….


How to get request statistics by template in PowerShell

I’ve been working with our support folks helping one of our customers. One of the things we wanted to learn about the environment is how many requests have been made for each certificate template that they issue. We have come up with this PowerShell script that you can run against a CA to find out….

CA performance

Back in the year 2003 we have published information about the CA performance and how it is impacted by various factors. The TechNet article is called Evaluating CA Capacity, Performance, and Scalability and is more or less still valid. You may transform the enrollment numbers to current hardware capabilities. One thing that I would like…