Windows PowerShell CRL Copy v2 posted to the gallery

Paul Fox has uploaded a revision of his former Windows PowerShell CRL Copy script. The new script is posted at the TechNet Gallery as Windows PowerShell Copy 2. The Windows PowerShell script monitors the remaining lifetime of a CRL, publishes a CRL to a UNC and\or NTFS location and sends notifications via SMTP and the Event Log.


PKI Library (PKI Documentation and Reference Library Updated)

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library. I also created a vanity short URL to it https://aka.ms/pkilibrary. Finding all our different information on AD CS and PKI can be challenging, so this reorganization will hopefully help you. If you see articles missing, broken links, or have suggestions –…


Certutil and Certreq

I have consolidated and updated two command line utilities recently: Certreq Certutil I took all the older links that I could find and pointed them to the locations above and then pointed out to the examples that we have already. Feel free to give me feedback on these consolidated documents. Thanks!  


Query for Advanced CA Configuration Options

It is very common to check the configuration of any certification authority using certutil –getreg command. The command will allow a CA administrator to view the configured settings at a glance.      But what if you need to configure advanced settings on your CA? How can you find a setting required for your compliance…

3

Group Protected PFX

A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported PFX files (those in PKCS#12) to Active Directory Domain Services (AD DS) accounts. The feature is available only if you have a Windows Server 2012 domain controller deployed in your network. The TechNet Wiki article Certificate PFX…


Blocking RSA keys less than 1024 bits (part 3)

Microsoft released a security advisory, KB article, and software update for all supported versions of Windows that blocks RSA certificates with keys less than 1024 bits. The software update was released to the Download Center. The security advisory is located at http://technet.microsoft.com/security/advisory/2661254. The KB article is available at http://support.microsoft.com/kb/2661254. The update is available now to…


Blocking RSA Keys less than 1024 bits (part 2)

On August 14, 2012, Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of cryptographic keys that are less than 1024 bits. This update was first announced in the blog titled RSA keys…


How to determine if a smart card was used for logon

Fabian Müller, Premier Field Engineer (PFE) in Germany, just wrote a detailed article discussing a commonly asked question: how do I determine if a smart card was used for logon? The article is posted on the TechNet Wiki with a link to the Script Center for your convenience. Check out the article at: http://social.technet.microsoft.com/wiki/contents/articles/11844.find-out-if-a-smart-card-was-used-for-logon.aspx


RSA keys under 1024 bits are blocked

Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough using the computing power at disposal. The threat landscape continues to evolve.  As such,…


Announcing the automated updater of untrustworthy certificates and keys

There are a number of known untrusted certificates and compromised keys that have been issued by standard trusted root certification authorities. To help customers avoid interacting with these untrusted or compromised certificates and keys, an Automatic Updater of revoked certificates is now available for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2,…