Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Certificate Services setup failed with the following error: Element not found. 0x80070490

Until Windows Server 2008 shipped, every Domain Controller had a readable and writable copy of the...

Author: MS2065 [MSFT] Date: 01/26/2009

Cross-forest Certificate Enrollment with Windows Server 2008 R2 Beta

I am excited to announce the public availability of the Cross-forest Certificate Enrollment with...

Author: MS2065 [MSFT] Date: 01/20/2009

How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003

Today I want to comment on the quite popular Microsoft Knowledgebase article How to decommission a...

Author: MS2065 [MSFT] Date: 01/18/2009

New Windows Biometric Framework and Driver Model

Those of you who are interested in biometrics should look at the following documents: Introduction...

Author: MS2065 [MSFT] Date: 01/14/2009

Outlook S/MIME certificate selection

Consider that you are sending an encrypted eMail to a recipient who has multiple certificates stored...

Author: MS2065 [MSFT] Date: 12/17/2008

Defining the friendly name certificate property

The friendly name of a certificate can be helpful if multiple certificates with a similar subject...

Author: MS2065 [MSFT] Date: 12/12/2008

Suppressing certificate attributes in a CA certificate request

When a PKCS#10 request for a CA certificate is generated, a pre-defined set of certificate...

Author: MS2065 [MSFT] Date: 10/05/2008

Creating offline certificate requests through the user-interface on Windows Vista or Windows Server 2008

Windows Vista and Windows Server 2008 have a convenient user interface to create custom certificate...

Author: MS2065 [MSFT] Date: 10/04/2008

Disposition values for certutil –view –restrict (and some creative samples)

A while ago I explained how to determine all certificates that will expire within a given period....

Author: MS2065 [MSFT] Date: 10/03/2008

TechNet Presents: MCS Talks Enterprise Architecture session 4 – Security and PKI

You may be interested in one of our upcoming sessions that is focused on PKI design and is available...

Author: MS2065 [MSFT] Date: 09/03/2008

You cannot add V2 or V3 templates after an inplace upgrade was performed on a Windows Server 2008 enterprise CA

Technically, it is possible to install an enterprise CA on a Windows Server Standard edition. With...

Author: MS2065 [MSFT] Date: 07/31/2008

How EffectiveDate (thisupdate), NextUpdate and NextCRLPublish are calculated

The validity time of a certificate revocation list (CRL) is critical for every public key...

Author: MS2065 [MSFT] Date: 06/04/2008

New whitepapers about Windows Server 2008 Certificate Services

This blog-entry has two purposes: 1) make you aware of the two new whitepapers that have been just...

Author: MS2065 [MSFT] Date: 05/25/2008

How to determine all certificates that will expire within 30 days

Woudn't it be interesting for the CA admin to know which certificates are expiring in the near...

Author: MS2065 [MSFT] Date: 04/24/2008

How to avoid Delta CRL download errors on Windows Server 2008 with IIS7

If delta CRLs are hosted on a Windows Server 2008 server running Internet Information Server 7...

Author: MS2065 [MSFT] Date: 02/24/2008

Update: Import the Root CA Certificate and CRL into an Intermediate CA from a Batch File

It came to our attention that the Best Practices for Implementing a Microsoft Windows Server 2003...

Author: MS2065 [MSFT] Date: 02/24/2008

How to set up a CA with a CNG (ECC) certificate

One of the improvements of the Windows Server 2008 Certification authority is the support for...

Author: MS2065 [MSFT] Date: 01/23/2008

Manually importing keys into a smart card

Have you thought about moving a certificate including its (exportable) keys from a user's profile...

Author: MS2065 [MSFT] Date: 11/13/2007

How to decode Windows errors

Many Windows error messages provide a hexadecimal error code, for example 0x8007267C. This code can...

Author: MS2065 [MSFT] Date: 10/17/2007

How to refresh the CRL cache on Windows Vista

By default, Windows is caching Certificate Revocation Lists (CRL) and CA certificates to quickly...

Author: MS2065 [MSFT] Date: 09/13/2007

How to re-install the default certificate templates?

When you launch the certificate templates MMC snap-in (certtmpl.msc) for the first time, the...

Author: MS2065 [MSFT] Date: 08/06/2007

Marking private keys as non-exportable with certutil -importpfx

When importing a PFX-file with the certificate import wizard, you can choose if the private key...

Author: MS2065 [MSFT] Date: 07/29/2007

Credential Roaming Hot Fix Available

If you have you already deployed Credential Roaming (see the whitepaper or webcast) or if you have...

Author: MS2065 [MSFT] Date: 07/21/2007

The missing EDIT button in the CA properties extensions tab

To adjust the CRL and AIA distribution point there are at least three choices to do it. The most...

Author: MS2065 [MSFT] Date: 05/27/2007

A simple way to set the certutil -config option

When you are performing an operation on a remote CA, certutil requires the config string as input...

Author: MS2065 [MSFT] Date: 05/12/2007

Manually publishing a CA certificate or CRL into a LDAP store

The CA is automatically publishing its own certificates and related CRLs into Active Directory if a...

Author: MS2065 [MSFT] Date: 04/13/2007

How to find out the max size of certificate attributes

The other day I was asked how many subject alternate names will fit into a single certificate. I...

Author: MS2065 [MSFT] Date: 02/26/2007

How to manually set the archive flag for certifictes

If you have to select a certain certificate for authentication for example, you may wonder why...

Author: MS2065 [MSFT] Date: 02/22/2007

How to download the most current CA certificate from a certificate web enrollment station

In some cases, you might want to download the most current CA certificate from a web enrollment...

Author: MS2065 [MSFT] Date: 02/10/2007

How to use Certificate Services Web enrollment pages together with Windows Vista

I just want you make aware of an important Microsoft knowledge base article that explains the...

Author: MS2065 [MSFT] Date: 02/09/2007

How to exclude the certificate template name from certificates to be issued

By default, a Windows CA enterprise CA adds information about the used certificate template to...

Author: MS2065 [MSFT] Date: 01/03/2007

Configuring and Troubleshooting Certificate Services Client–Credential Roaming

After a long waiting time the Certificate Services Client credential roaming whitepaper got...

Author: MS2065 [MSFT] Date: 12/18/2006

The EASY way of CRL troubleshooting in Windows Vista

Easy CRL troubleshooting is just one click away in Windows Vista! Read on to learn how to enable...

Author: MS2065 [MSFT] Date: 12/16/2006

A file distribution point must follow the UNC syntax

Several whitepapers explain the three valid protocols (HTTP, LDAP or FILE) to retrieve a Certificate...

Author: MS2065 [MSFT] Date: 12/04/2006

Basic CRL checking with certutil

I want to start this blog with a very basic topic: CRL checking. In the past we have documented a...

Author: MS2065 [MSFT] Date: 11/30/2006

<Previous