Select Page

Microsoft Cloud Library

Articles about Microsoft Cloud

Latest news and technical articles related to cloud computing with Windows Server. We have carefully selected articles published by industry experts, featuring Microsoft’s engineering team.

Select a Topic to view articles of just that Topic. Select All to view the entire library.

Sample Code: End-to-End Certificate Transparency requests on ADCS CA

First published on TECHNET on Dec 12, 2018Hello all, Tochi Ezebube here again from the Active Directory Certificate Services engineering team.Sometime back, we released support for the precertificate flow of Certificate Transparency v1 (RFC 6962) in Windows Server 2016 ( ... continue reading

How to write an NDES policy module

First published on TECHNET on Nov 30, 2016Hi there!This is Tochi Ezebube with the Active Directory Certificate Services (ADCS) engineering team; I wanted to share some further details on how to write a custom policy module for the ADCS Network ... continue reading
Setting up NDES using a Group Managed Service Account (gMSA)

Setting up NDES using a Group Managed Service Account (gMSA)

First published on TECHNET on Apr 26, 2015Hallo everybody, this is Andy and Dagmar from Austrian Premier Field Engineering (PFE) describing how to implement NDES using a gMSA (instead of a normal domain user account). When creating a lab on ... continue reading
Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 3: Key Attestation

Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 3: Key Attestation

First published on TECHNET on Sep 08, 2014Hey Everyone, I am back with the last part of this 3 of this series on TPM protected certificates. The last topic for this series is on Key Attestation. Recently I have had ... continue reading
Setting up TPM protected certificates using a Microsoft Certificate Authority - Part 1: Microsoft Platform Crypto Provider

Setting up TPM protected certificates using a Microsoft Certificate Authority – Part 1: Microsoft Platform Crypto Provider

First published on TECHNET on Jun 05, 2014Hey Everyone, This is Wes Hammond with Premier Field Engineering back to share what I have learned about protecting digital certificates using the Trusted Platform module in Windows desktops, laptops and servers. This ... continue reading
Windows Server 2012 R2/IIS8.5 - Automatic Rebind of Renewed Certificates

Windows Server 2012 R2/IIS8.5 – Automatic Rebind of Renewed Certificates

First published on TECHNET on Apr 28, 2014 Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog about automatic renewal of web site certificates. The original blog can be found in ... continue reading
Constraints: what they are and how they’re used

Constraints: what they are and how they’re used

First published on TECHNET on Mar 05, 2014Hey everyone this is Wes Hammond from Premier Field Engineering and I wanted to share with you some info that I have gathered about setting up constraints.Constraints are used to restrict certificate authorities ... continue reading

A novel method in IE11 for dealing with fraudulent digital certificates

First published on TECHNET on Feb 21, 2014Digital certificates are a key mechanism for establishing identity on the Internet. Trust in these certificates is a result of trusting the issuing entity - the Certification Authority (CA). Unfortunately, as a result ... continue reading

Upgrade Certification Authority to SHA256

First published on TECHNET on Sep 19, 2013A common question in the field is about upgrading a certification authority running on Windows Server 2003 to use Crypto Next Generation (CNG) to support SHA256. CNG was introduced in Windows Server 2008 ... continue reading
Renew Web Server (SSL) Certificates Automatically

Renew Web Server (SSL) Certificates Automatically

First published on TECHNET on Aug 27, 2013Working with Internet Information Services (IIS) certificates can be a bit challenging especially during renewal time. Most organizations do not track Web SSL certificates which in turn might expire and cause an unplanned ... continue reading

PKI Library (PKI Documentation and Reference Library Updated)

First published on TECHNET on Mar 22, 2013Tonight I spent a couple of hours reorganizing the PKI Documentation and Reference Library . I also created a vanity short URL to it https://aka.ms/pkilibrary . Finding all our different information on AD ... continue reading
Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

First published on TECHNET on Mar 21, 2013Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the ... continue reading
Query for Advanced CA Configuration Options

Query for Advanced CA Configuration Options

First published on TECHNET on Dec 27, 2012It is very common to check the configuration of any certification authority using certutil –getreg command. The command will allow a CA administrator to view the configured settings at a glance. But what ... continue reading
Viewing Expired Certificate Revocation List (CRL)

Viewing Expired Certificate Revocation List (CRL)

First published on TECHNET on Dec 20, 2012Many customers must perform a regulatory audit annually to comply with industry standards and business trends. Recently I was contacted by one of my customers, who was not able to view all of ... continue reading

Certificate for WinRT devices and non-domain member devices

First published on TECHNET on Dec 10, 2012Hi there, I am a test engineer in the Windows team working on certificate enrollment related areas. Today I want to talk about certificates for Windows RT devicesWindows RT devices run on ARM ... continue reading
Group Protected PFX

Group Protected PFX

First published on TECHNET on Oct 08, 2012A new feature is available in Windows Server 2012 and Windows 8 that allows you to protect exported PFX files (those in PKCS#12) to Active Directory Domain Services (AD DS) accounts. The feature ... continue reading

Blocking RSA keys less than 1024 bits (part 3)

First published on TECHNET on Aug 14, 2012Microsoft released a security advisory, KB article, and software update for all supported versions of Windows that blocks RSA certificates with keys less than 1024 bits. The software update was released to the ... continue reading
Blocking RSA Keys less than 1024 bits (part 2)

Blocking RSA Keys less than 1024 bits (part 2)

First published on TECHNET on Jul 13, 2012On August 14, 2012, Microsoft will issue a critical non-security update (KB 2661254) for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server ... continue reading

How to determine if a smart card was used for logon

First published on TECHNET on Jun 18, 2012Fabian Müller, Premier Field Engineer (PFE) in Germany, just wrote a detailed article discussing a commonly asked question: how do I determine if a smart card was used for logon ? The article ... continue reading
RSA keys under 1024 bits are blocked

RSA keys under 1024 bits are blocked

First published on TECHNET on Jun 11, 2012Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time ... continue reading

Request File Can’t be Located during CA Certificate Renewal

First published on TECHNET on May 29, 2012During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article , I discovered that the Request file generated couldn’t be located in the default ... continue reading

Visual Basic for Applications and SHA2

First published on TECHNET on May 03, 2012I was recently helping a customer deploy a SHA-256 based PKI. As part of the retirement of their old PKI, we reissued the code signing certificates used by their developers. We found that ... continue reading
Best Practice for Configuring Certificate Template Cryptography

Best Practice for Configuring Certificate Template Cryptography

First published on TECHNET on Apr 27, 2012Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a ... continue reading

Network Device Enrollment Service (NDES) now on the TechNet Wiki

First published on TECHNET on Apr 18, 2012The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have already made a few updates that were requested. The old download center location has been updated to ... continue reading

Offline CA articles posted to the TechNet Wiki

First published on TECHNET on Mar 18, 2012Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based on frequently asked questions from customers. These articles posted as: Security Best Practices for Offline CAs and Offline ... continue reading

HSPD-12 Logical Access Authentication and 2008 Active Directory Domains on Download Center

First published on TECHNET on Mar 14, 2012A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory Domains document has just been posted to the download center. The follow-up document demonstrates the increased flexibility of FIPS 201 ... continue reading
Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)

First published on TECHNET on Feb 27, 2012Warning SCEP was designed to be used in a closed network where all end-points are trusted. The warnings from CERT in the article " Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate ... continue reading

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

First published on TECHNET on Jan 27, 2012Jonathan Stephens posted an excellent Blog about this topic ; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have ... continue reading

EFS Certificates may be recovered as CNG certificates when CAPI CSP is required

First published on TECHNET on Jan 23, 2012If a Key Recovery Agent (KRA) certificate is stored in a Cryptography Next Generation (CNG) Key Service Provider (KSP), the certutil -RecoverKey command will by default recover a key as a CNG certificate ... continue reading