Windows PKI blog

2024-09-25

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Sample Code: End-to-End Certificate Transparency requests on ADCS CA

Hello all, Tochi Ezebube here again from the Active Directory Certificate Services engineering team....

Date: 12/12/2018

How will Certificate Transparency affect existing Active Directory Certificate Services environments?

Wes Hammond here from Premier Field Engineering. It has been a while since I posted anything, but I...

Date: 03/12/2018

[CrossPost ] HTTPS Inspection and your PKI

Hey Everyone, A little while back I posted this article to my own personal blog and it is getting...

Date: 02/24/2017

How to write an NDES policy module

Hi there! This is Tochi Ezebube with the Active Directory Certificate Services (ADCS) engineering...

Date: 11/30/2016

[CrossPost] SHA1 Deprecation Policy

Update: This page has been removed. For the most up to date information on the Microsoft SHA1...

Date: 10/19/2015

[CrossPost] Implementing SHA-2 in Active Directory Certificate Services

A fellow engineer at Microsoft, Roger Grimes, has published a great article on Implementing SHA-2 in...

Date: 07/24/2015

Setting up NDES using a Group Managed Service Account (gMSA)

Setting up NDES using a Group Managed Service Account (gMSA) Hallo everybody, this is Andy and...

Date: 04/26/2015

Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 3: Key Attestation

Hey Everyone, I am back with the last part of this 3 of this series on TPM protected certificates....

Date: 09/08/2014

Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 2: Virtual Smart Cards

Hey Everyone, I am back with part 2 of this 3 part series on TPM protected certificates. The topics...

Date: 07/15/2014

Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 1: Microsoft Platform Crypto Provider

Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned...

Date: 06/05/2014

Windows Server 2012 R2/IIS8.5 - Automatic Rebind of Renewed Certificates

Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog...

Date: 04/28/2014

Constraints: what they are and how they’re used

Hey everyone this is Wes Hammond from Premier Field Engineering and I wanted to share with you some...

Date: 03/05/2014

A novel method in IE11 for dealing with fraudulent digital certificates

Digital certificates are a key mechanism for establishing identity on the Internet. Trust in these...

Date: 02/21/2014

[CrossPost] Microsoft PKI OCSP Responder Now JITC Certified and Lab Setup Guide

For those that missed the big news on the Ask Premier Field Engineering (PFE) Platforms blog, our...

Date: 01/08/2014

Upgrade Certification Authority to SHA256

A common question in the field is about upgrading a certification authority running on Windows...

Date: 09/19/2013

Renew Web Server (SSL) Certificates Automatically

Working with Internet Information Services (IIS) certificates can be a bit challenging especially...

Date: 08/27/2013

Windows PowerShell CRL Copy v2 posted to the gallery

Paul Fox has uploaded a revision of his former Windows PowerShell CRL Copy script. The new script is...

Date: 05/08/2013

PKI Library (PKI Documentation and Reference Library Updated)

Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library. I also...

Date: 03/22/2013

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System...

Date: 03/21/2013

Certutil and Certreq

I have consolidated and updated two command line utilities recently: Certreq Certutil I took all the...

Date: 03/08/2013

Query for Advanced CA Configuration Options

It is very common to check the configuration of any certification authority using certutil...

Date: 12/27/2012

Viewing Expired Certificate Revocation List (CRL)

Many customers must perform a regulatory audit annually to comply with industry standards and...

Date: 12/20/2012

Certificate for WinRT devices and non-___domain member devices

Hi there, I am a test engineer in the Windows team working on certificate enrollment related areas....

Date: 12/10/2012

Group Protected PFX

A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported...

Date: 10/08/2012

Blocking RSA keys less than 1024 bits (part 3)

Microsoft released a security advisory, KB article, and software update for all supported versions...

Date: 08/14/2012

Blocking RSA Keys less than 1024 bits (part 2)

On August 14, 2012, Microsoft will issue a critical non-security update (KB 2661254) for Windows XP,...

Date: 07/13/2012

How to determine if a smart card was used for logon

Fabian Müller, Premier Field Engineer (PFE) in Germany, just wrote a detailed article...

Date: 06/18/2012

RSA keys under 1024 bits are blocked

Public key based cryptographic algorithms strength is determined based on the time taken to derive...

Date: 06/11/2012

Announcing the automated updater of untrustworthy certificates and keys

There are a number of known untrusted certificates and compromised keys that have been issued by...

Date: 06/11/2012

Request File Can’t be Located during CA Certificate Renewal

During my work with a customer renewing their Issuing CA’s certificate based on the steps...

Date: 05/29/2012

Visual Basic for Applications and SHA2

I was recently helping a customer deploy a SHA-256 based PKI. As part of the retirement of their old...

Date: 05/03/2012

Best Practice for Configuring Certificate Template Cryptography

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers...

Date: 04/27/2012

Network Device Enrollment Service (NDES) now on the TechNet Wiki

The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have...

Date: 04/18/2012

Offline CA articles posted to the TechNet Wiki

Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based...

Date: 03/18/2012

HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory...

Date: 03/14/2012

Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

Important notice: Microsoft does not support any apple products, if you need to troubleshoot any...

Date: 02/27/2012

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the...

Date: 01/27/2012

EFS Certificates may be recovered as CNG certificates when CAPI CSP is required

If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key...

Date: 01/23/2012

Windows PowerShell script for Setting up a CA on Windows Server 2008 and Windows Server 2008 R2

Microsoft MVP, Vadims Podans, has written and posted a Windows PowerShell script that can be used to...

Date: 12/08/2011

Key Recovery vs Data Recovery Differences

I am often asked when talking to my customers about the differences between Key Recovery and Data...

Date: 10/28/2011

The Windows KB article 889250 titled "How to decommission a Windows enterprise certification...

Date: 10/07/2011

Next>

Share via

Windows PKI blog

Additional resources