Archive

Archive for the ‘AD CS documentation updates’ Category

Group Protected PFX

October 8th, 2012 No comments

A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported PFX files (those in PKCS#12) to Active Directory Domain Services (AD DS) accounts. The feature is available only if you have a Windows Server 2012 domain controller deployed in your network. The TechNet Wiki article Certificate PFX Export and Import using AD DS Account Protection describes the feature further.

ExportWizard

Group Protected PFX

October 8th, 2012 No comments

A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported PFX files (those in PKCS#12) to Active Directory Domain Services (AD DS) accounts. The feature is available only if you have a Windows Server 2012 domain controller deployed in your network. The TechNet Wiki article Certificate PFX Export and Import using AD DS Account Protection describes the feature further.

ExportWizard

Group Protected PFX

October 8th, 2012 No comments

A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported PFX files (those in PKCS#12) to Active Directory Domain Services (AD DS) accounts. The feature is available only if you have a Windows Server 2012 domain controller deployed in your network. The TechNet Wiki article Certificate PFX Export and Import using AD DS Account Protection describes the feature further.

ExportWizard

Request File Can’t be Located during CA Certificate Renewal

May 29th, 2012 No comments

During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.

After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:\%1_%3%4.req. I followed these steps to fix this issue:

  1. Start the Registry Editor
  2. Navigate to HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\<CASanitizedName>
  3. Locate the Registry String RequestFileName
  4. Change the value from a:\%1_%3%4.req to C:\%1_%3%4.req
  5. Stop and Start the Certification Active Directory Certificate Services service

I was then able to create the Request File and submit it to the Offline Root CA to process it.

 

Request File Can’t be Located during CA Certificate Renewal

May 29th, 2012 No comments

During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.

After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:\%1_%3%4.req. I followed these steps to fix this issue:

  1. Start the Registry Editor
  2. Navigate to HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\<CASanitizedName>
  3. Locate the Registry String RequestFileName
  4. Change the value from a:\%1_%3%4.req to C:\%1_%3%4.req
  5. Stop and Start the Certification Active Directory Certificate Services service

I was then able to create the Request File and submit it to the Offline Root CA to process it.

 

Request File Can’t be Located during CA Certificate Renewal

May 29th, 2012 No comments

During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.

After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:%1_%3%4.req. I followed these steps to fix this issue:

  1. Start the Registry Editor
  2. Navigate to HKLMSystemCurrentControlSetServicesCertsvcConfiguration<CASanitizedName>
  3. Locate the Registry String RequestFileName
  4. Change the value from a:%1_%3%4.req to C:%1_%3%4.req
  5. Stop and Start the Certification Active Directory Certificate Services service

I was then able to create the Request File and submit it to the Offline Root CA to process it.

 

Best Practice for Configuring Certificate Template Cryptography

April 28th, 2012 No comments

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option is Request can use any provider available on the subject’s computer. However, the best practice is to select Requests must use one of the following providers. Then, ensure you configure only the providers that you want to be used. Another best practice is to use a key size of 1024 bits or higher.

More about this topic is on the TechNet Wiki http://social.technet.microsoft.com/wiki/contents/articles/10192.a-certificate-could-not-be-created-a-private-key-could-not-be-created.aspx

Best Practice for Configuring Certificate Template Cryptography

April 28th, 2012 No comments

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option is Request can use any provider available on the subject’s computer. However, the best practice is to select Requests must use one of the following providers. Then, ensure you configure only the providers that you want to be used. Another best practice is to use a key size of 1024 bits or higher.

More about this topic is on the TechNet Wiki http://social.technet.microsoft.com/wiki/contents/articles/10192.a-certificate-could-not-be-created-a-private-key-could-not-be-created.aspx

AD CS Content Updates

August 4th, 2011 No comments

The following documentation updates have been recently made:

  1. AD CS: Deploying Cross-forest Certificate Enrollment – updated with a link to the download center version of the document
  2. Additional documents added to the “future” consolidated download center page for Active DIirectory Certificate Services (AD CS) @ http://go.microsoft.com/fwlink/?LinkId=212919
  3. Note added to Identify a Key Recovery agent to point to information about the differences between Certificate Template Versions
  4. Added a question/answer about AD CS on ServerCore to the AD CS FAQ.
  5. Removed port 440 from an older PKI blog entry: http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx
  6. Modified the first note in Configure CRL and Delta CRL Overlap Periods for clarity.

Categories: AD CS documentation updates Tags: