Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps: 1- There is a new valid Certification Authority configured 2- There is a new distribution point configured…


Automated CA installs using VB script on Windows Server 2008 and 2008R2 [UPDATED]

Starting with Windows Server 2008 the CA product team introduced a set of COM objects that can be used to control the installation of CAs. Using VBScript you can quickly automate the setup and installation of a CA.Below is a script that is being used by the product team in our testing of Certificate Services….


Certificate distribution and the Microsoft Terminal Services Client

A few days ago I worked in a test environment that also consists of a PKI. I used the Microsoft Terminal Services Client (mstsc.msc) for a while to connect to various machines in the test environment. One day, I helped a coworker troubleshooting a certificate problem in the test environment. From his machine, I connected…


Certificate Services setup failed with the following error: Element not found. 0x80070490

Until Windows Server 2008 shipped, every Domain Controller had a readable and writable copy of the Active Directory schema, domain naming context and configuration naming context. This statement changed when we introduced the Read Only Domain Controller (RODC) role with Windows Server 2008. The RODC creates several new configuration scenarios for Active Directory integrated applications….


How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003

Today I want to comment on the quite popular Microsoft Knowledgebase article How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server. I am referring to version 6.0 of the article with a review date of November 18th, 2008. You should…


Suppressing certificate attributes in a CA certificate request

When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate attributes is included. This blog entry explains how to eliminate attributes that would go into the CA certificate request by default. Imagine that you are setting up a new subordinate CA where the parent CA is a non Windows CA….


You cannot add V2 or V3 templates after an inplace upgrade was performed on a Windows Server 2008 enterprise CA

Technically, it is possible to install an enterprise CA on a Windows Server Standard edition. With this configuration, enterprise features of the certification authority are intentionally not available. To enable the CA enterprise features, it is required to upgrade a Windows Server from Standard to Enterprise edition. To keep the existing enterprise CA configuration, it…


How EffectiveDate (thisupdate), NextUpdate and NextCRLPublish are calculated

The validity time of a certificate revocation list (CRL) is critical for every public key infrastructure. By default, most applications verify the validity of certificates against a CRL. Two CRL types exist: base CRLs and delta CRLs. In case where no delta CRL is used, certificates are treated as invalid if the base CRL is…


How to refresh the CRL cache on Windows Vista

By default, Windows is caching Certificate Revocation Lists (CRL) and CA certificates to quickly verify certificate chains. The downside of this behavior is that a newer CRL is not picked up by the client until the locally cached CRL has expired.   Windows versions before Windows Vista do not support deletion or a forced update…