Quickly find all GPOs with PKI settings

When doing PKI audits and also when troubleshooting autoenrollment I want to see if there are multiple Group Policies that configure contradictory PKI settings.

Instead of manually going through all GPOs I wrote a PowerShell script that lists all GPOs that have PKI-settings in them, and also singles out those that configure autoenrollment.

Here is a sample output:


As you can see I look in both Computer and User scope of the GPOs.

The script utilizes the commands Get-GPO and Get-GPOReport, so you need to run the script on a computer that has the Group Policy Management feature installed (like a DC) or a computer with the Remote Server Administration Tools installed.

As always, there is room for improvement. Besides error management, perhaps showing the actual settings and also where the GPOs are currently linked. Feel free to improve it, and let me know if I can reshare it.

You can view and download the PowerShell script here:

Standard Disclaimer: I am NOT a professional coder. I am not responsible for what this script does. Do a code audit and testing in test environment if you run it in a sensitive environment.

Please leave any feedback you have as a comment to this post.

Posted in Okategoriserade | Leave a comment

What is Azure Information Protection


One of the security solutions I work with is called Azure Information Protection.

It is Microsoft’s solution for labeling and protecting information and it has some awesome features:

  • Super simple to use for end users, just a click away or fully automatic (based on location, recipient or content)
  • Access is based on your identity, no static passwords or keys that needs to be remembered, shared or managed
  • The information can be encrypted, which keeps the bad guys out
  • You can set policies for what users are allowed to do with the information once they have access, such as printing, copying or forwarding, which makes it easier for good guys to follow the rules and avoid mistakes
  • The information is labeled in a way so that other solutions, such as Exchange, SharePoint, Cloud App Security and even third party DLP services, can make decision based on it
  • Custom watermarking and header/footer can be added to the information
  • The protection follows the information where ever it goes
  • You can share safely with anyone
  • All file types and most platforms (including Mac, iOS and Android) are supported
  • You can track who accessed your protected information
  • You can remotely kill a document (without access to the file), making it totally unreadable for anyone from that point on. Can you current information protection solution do this?
  • Microsoft never needs to have access to your information, they only manage the authentication part
  • The team at Microsoft behind this service are not only really nice people, but also really attentive to customer’s needs and have shown remarkable agility in their development
  • I could go on, but, I’m sure most of you stopped reading this list by now and jumped to the video below 🙂

If you want to know more, see this 2 minute overview video, or contact me for further discussions:

Note that this service used to be called Rights Management Services and the RMS technology is very much still used for the encryption and policy parts, but when Microsoft added the user friendly labeling part, that can be used for so much more than just RMS protection, they renamed it to Azure Information Protection. In other word, RMS went from being the front-end solution to being one of the consequences that can be applied based on the chosen labeling. Using the RMS features without the labeling is still available and works just as great.

Posted in AIP, information protection, Rights Management Services, RMS | Tagged , , , | Leave a comment

My two sessions from TechX [in Swedish]

I gave two talks at the TechX conference held at Microsoft headquarters in Stockholm on February 13-17 2017.


The sessions were recorded and are now available to watch on YouTube [see links below]. Note that they are delivered in Swedish.

Both sessions covered the same three security solutions from Microsoft:

  • Windows Defender Advanced Threat Protection
  • Office 365 Advanced Threat Protection
  • Advanced Threat Analytics

I know, they all have very similar names. But this image shows how they relate and how they complement each other to provide protection on several layers:


In the first session I talked about what the products actually are. In the second I talked about how to get started with them. Both have demos Ler

Unfortunately I had sound issues, which was a bummer since I had several embedded videos in my presentation, but hey, that’s life…

Here are the videos:

TechX 2017 – Detektera och förhindra intrång

TechX 2017 – Hur kommer du igång med WDATP + ATA + Office ATP ?

Posted in ATA, OATP, TechX, WDATP | 1 Comment

Translate Windows messages in other languages

Sometimes I run into error messages in foreign languages, like this French one:


Ok, I admit it, I made the dialog box myself, but the message text is real. And I have no idea what it means.

So, how can I find out what “Le contenu a été bloqué, car il utilise un protocole de chiffrement non sécurisé.” really means? Preferably with the exact wording of the corresponding English message in Windows.

As in most cases, Google is usually your friend. There are also many online translation services, but since a word can have multiple meanings they might alter the wording, and that can make further troubleshooting Googling harder.

But did you know that Microsoft has a Language Portal, where you can search and translate Microsoft official terminology?

The address is https://www.microsoft.com/Language/en-us/Search.aspx
and it look like this:


In the search result for the message above can see what the message says:


You can also search translations from English to other languages. The list contains a whopping 115 languages! Did you for instance know that the word administrator is called alábòójútó in the language Yoruba and umlawuli in the language ixiXhosa?

You do not have to search the exact string, partial matches will work as well. You can also filter your results based on 118 different products. Here I have limited my search results of the word administrator to only show results from the product Intune:


I hope this tip will help others that sometimes also has to troubleshoot Windows machines with foreign languages configures.

Posted in Okategoriserade | Leave a comment

LastPass now also free on mobile devices


The password manager LastPass has always been free to use in your web browser, but they just announced that they will no longer require a paid subscription for accessing your LastPass from mobile devices:


If you are not using a password manager yet there is a chance that you might be reusing the same few passwords on all you different websites and perhaps also keep them simple/short so that they are easier to remember. Both of which are really bad ideas.

I can really recommend LastPass for managing all your passwords. I have been a paid subscriber for several years and store hundreds of passwords to websites, Wi-Fi connections, PIN codes and other various secret things there.

There are other alternatives that are equally good, which one you chose is not the most important thing, just that you start using one.

Remember to use a very secure and long master password. Put some effort in creating and remembering it, and take comfort in that it is (almost) the last password you will ever have to remember. Hence the name of the service Smile

Don’t forget to activate Two Factor Authentication and to configure LastPass to log you out when you log on from another browser/device and also to log you out after a certain time of inactivity. Even if using a password manager can increase the complexity of all your passwords while making life a lot easier for you, if someone gets into your account they have the keys to all your kingdoms.

LastPass can be configured to do a lot of things, and I won’t go through all the features here. But be sure to check it out to increase your identity protection without going insane remembering tons of different complex passwords.

Read more about how LastPass can make your password life a lot easier:


Posted in Okategoriserade | Leave a comment

Azure Information Protection client – now with diagnostics!

The Azure Information Protection client was recently updated to version

One of the improvements is a built-in diagnostics tool:


You get to this dialog box by going to the Home tab and clicking on the Protect icon in an Office application, and then selecting Help and feedback:


As you can see this option is not there in the previous version of the client:


When you click the Run diagnostics link a new window appears and the progress of the diagnostics tests are continuously updated:


You might get prompted to login with you Azure AD account:


The test takes some time (see the status bar text in the image above), but it sure takes A LOT less time than doing all these tests manually.

When the test is finished you can click Copy Result an send to your helpdesk or to Microsoft support. You can also click Reset to perform a reset on the Azure Information Protection client’s settings:


If you chose to perform a reset you will see these prompts:



I have seen the diagnostic tool get stuck at different stages of testing, but simply closing the result windows and re-running the diagnostics have solved it.

You can download the latest version of the Azure Information Protection client with the built-in diagnostic tool here:

Posted in AIP, information protection, Rights Management Services, RMS | Tagged , , , | 1 Comment

Get free SSL certificates with Let’s Encrypt

I have previously blogged about how you can get a free SSL certificate from the Certification Authority called WoSign, but they have been misbehaving lately (see details here) and some big companies like Apple, Google and Mozilla are actually considering removing the built-in trust to WoSign in their browsers.

So I decided it’s time to write a new post, this time using the Certification Authority Let’s Encrypt, which also makes it a lot less complicated. But still free!


So what is Let’s Encrypt?

It is a free, automated and open certificate provider. The organization behind Let’s Encrypt is called Internet Security Research Group (ISRG) and they have a lot of official sponsors. Here are a few of the more well-known, which shows that Let’s Encrypt is a serious player on the market and that they should be around for a long time:

clip_image003 clip_image005 clip_image007 clip_image009 clip_image011 clip_image013

Let’s Encrypt is already trusted by most browsers today. To achieve this already in the early stages, Let’s Encrypt’s intermediate Certificate Authorities have been cross-signed by IdenTrust. Eventually, when enough browsers trust Let’s Encrypt natively, they will stand on their own. Read more about the cross-signing here.

The certificate issuance is based on Domain Validation, which means that you have to prove your ownership of a domain name by creating a publicly accessible file under that domain name. You are then allowed to request a free SSL certificate for that domain name. The protocol used is called ACME (not the best name if you ask me, since it makes me think of the cartoon Road Runner).

The validity time of certificates from Let’s Encrypt is shorter, only 90 days instead of the usual 1-3 years for SSL certificates. Read why here. But since re-enrollment is automatic (and free) it should not be an issue.

There are currently over 8.6 million unexpired certificates issued by Let’s Encrypt. See more statistics here.

Update 2016-10-19: Today they reached 10 million!
Update 2017-06-28: They have now issued 100 million certificates (link).
Update 2017-10-20: Let’s Encrypt is the largest issuing CA in the Alexa Top 1 Million!

In this blogpost I chose to go the ACME client letsencrypt-win-simple. It is limited to IIS but is very simple to use. There are many different clients for different operating systems, web servers and languages that you can choose from.

Note that the certificate will have the Enhanced Key Usage Server Authentication and Client Authentication, which means that it also can be used for other things than just web servers, such as VPN servers, email servers etc.

The steps

First the basic setup. I installed a Windows Server 2016 (as an Azure VM, but that is not really relevant here).

I installed the role Web Server (IIS), no other roles or features are needed.

I created a new Web Site called certdemo that points to the folder C:\certdemo:


I configured the site binding to use the host name certdemo.tomdemo.se and the port 80. The tool I am using will scan IIS for bindings based on host names, so you need to make sure that web sites you want to enroll certificates for has host name configured:


If I browse that URL I can access the site over HTTP:


But if I try to access it over HTTPS it fails, which is expected since no binding or certificate for this exists:


Next, I downloaded the zip-file containing the letsencrypt-win-simple files. The latest version at the time of writing this blogpost was v1.9.1 and is about 4 Mb:


Extract the files from the zip archive. Do not use a temp folder that might be deleted or that is hard to find. The application will be regularly run from that folder going forward (for the automatic re-enrollments). I chose C:\letsencrypt-win-simple:


Note the file letsencrypt.exe.config here, it will be referenced later in this post. It contains some setting that you might want to modify before running the tool. You can search for that file name in this post to find them.

Run letsencrypt.exe as administrator:


Enter an email address that will be used to send notifications if renewal will fail. I have not received ANY unrelated emails or spam to that address:


Agree to the Subscriber Agreement by typing Y (after reading it thoroughly of course):


Now a configuration file and a secret key is created. These will be used for certificate requests going forward. The files are stored in the following location:


Note: This location can be modified by editing the setting CertificatePath in the file letsencrypt.exe.config before running the tool.

Now I type A to get certificates for all hosts (which in my case is only one):


Below you can see the Domain Validation actually being performed for you automatically:

  • It receives a Challenge Type http-01
  • It writes the challenge answer in a file in a new subfolder called \.well-known\acme-challenge
  • It configures IIS to allow that folder to serve files without file extensions
  • It submits the answer
  • When the challange answer is validated by Let’s Encrypt it deletes all the files related to this validation:
    Note: You can disable the deletion of these temporary authorization files and folders by editing the setting CleanupFolders in the file letsencrypt.exe.config before running the tool.


Now the client performs the following steps:

  • It creates a certificate request (the private key is created locally and never leaves your computer)
  • It saves the signed certificate
  • It saves the certificate of the issuing CA (needs to be installed on the IIS)
  • It adds the certificate to the computer’s WebHosting certificate store (can be modified, see later in this post)
  • It adds HTTPS binding on the web site, using the new certificate
  • It creates a Scheduled Task that will run once a day to see if the certificate is older than 60 days
    Note: You can modify how many days after issuance renewal shall occur by editing the setting RenewalDays in the file letsencrypt.exe.config before running the tool. Leaving it at 60 gives you 30 days to troubleshoot before the 90 days are up.


Now it asks for credentials for the scheduled task to run with. Use an account that has NTFS write permission on the web sites root directory, since it will need to perform a challenge/response on every renewal:


After it has configured the Scheduled Task, I pressed enter and the command prompt closed:


Now we are done.

The result? Going back to the HTTPS version of my web site (that failed before) you can see that it now works, without warnings of any kind:


That’s not too bad, considering it didn’t take long, it will be automatically renewed and did not cost me a single penny.

Behind the scenes

Ok, let’s look at the changes this tool made to the server.

You can see the installed certificate in the Web Hosting certificate store. The Web Hosting certificate store was introduced in IIS on Windows Server 2012 and is similar to the Personal store, but it was designed to support a much higher number of SSL certificates without a noticeable impact on the performance of the server, since certificates here are only loaded into memory on demand.
Note: You can modify in which container the certificate should go into by editing the setting CertificateStore in the file letsencrypt.exe.config before running the tool. You can also manually move/copy the certificate to other certificate stores after it is created.


By double-clicking the certificate you can see that the certificate has a validity time of 90 days:


In IIS Manager you can see the new binding using the default post 443:


and verify that the new certificate is configured:


You can see the created Scheduled Task


and its corresponding action:


You can also see all the files that were created during enrollment:


Note that the certificate (including its private key) is available here. The .pfx version can be imported on any machine you chose. By default, there is no password set on the .pfx (just leave the password field empty when importing). You can set a password to be used for the pfx file by editing the setting PFXPassword in the file letsencrypt.exe.config before running the tool.

I hope you found this primer on Let’s Encrypt together with IIS useful.

Please test this before performing this in production environments, especially if you use a non-English version of the OS, have multiple web sites and/or use non-default ports.

Let me know if you have any questions.

Posted in Okategoriserade | 2 Comments

Links from my Windows Security and ATA session

2016_10_04 - EMS ATA

A few days ago I spoke about IT security in general and Advanced Threat Analytics in particular at Microsoft’s headquarter in Stockholm.

I showed a few sites and was asked to share them. So here they are:



Norse is a company that has over 8 million sensors all over the internet that detects attacks. They visualize the current attacks on a world map, which is available here:

World’s Biggest Data Breaches


Over a decade of data breaches are visualized in this interactive map, where you can sort, color code and click for more information:

‘;–have i been pwned?


Security expert Troy Hunt gathers and verifies credentials in data leaks, and gives you the possibility to search for your email address to see if it was present in any of the confirmed leaks. You can also subscribe to alerts if your address appears in a future leak and if you can prove ownership of a domain you can subscribe to alerts for all addresses in that domain:



The entire IPv4 network is continuously scanned for exposed services and the result is stored in a searchable database. If a bug or weakness is found in a particular software version, all public servers using that exact version can be immediately found and exploited, which makes quick patching very important:

Update 2017-08-04:
Here is another site that tracks major data breaches:

Posted in Okategoriserade | 1 Comment

SSL Certificates and SAN – What domain names are valid?

An SSL certificate has a field called Subject. The Subject field contains the domain name that the certificate is valid for. Subject can only contain one domain name:



The field Subject can have more information, like the screenshot below, but still only one domain name:


An SSL certificate can also contain an optional field called Subject Alternative Names, or – as it is more often called – a SAN field. The SAN field contains one or multiple domain names that the certificate is valid for.


Note that in this example I only have one single SAN name. You can have many domain names in the SAN field of a certificate.

A common misconception around this is that a certificate with both Subject and SAN is valid for all domain names that are present in both of these fields. But if an SSL certificate has a SAN field, then SSL clients are in fact supposed to ignore the Subject field and look only in the SAN field for a domain name match.

This behavior is clearly specified in the RFC for HTTP Over TLS:

“If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used.”

In other words: If SAN exists, use only that. If no SAN exists, use Subject.

To see this behavior in action, see my short video below [52 sec], in which I use the certificate from the screenshots above on two different websites: san.tomdemo.se and subject.tomdemo.se. Can you predict what will happen?
[the video has no audio]

Since the Subject field is not used when using SAN, it can be set to anything, it could in fact be empty.

Perhaps a new best practice would be to set the Subject to something that would avoid the risk of this confusion whenever a SAN is used, like this certificate:


Posted in Certificates, PKI, SAN, SSL | Tagged , , , | Leave a comment

Get a free publicly trusted SSL-certificate


This blog post will guide you through the steps of obtaining a publicly trusted SSL certificate with up to 5 domain names, at no cost. There are no hidden costs, ads or referrals involved.

You do need to be able to verify that you own the domain name that the certificate will be issued for. You can do this by either receiving a verification code via email (sent to specific administrative email addresses of the domain) or the ability to publish a text file with a verification code on a webserver running on that domain.

I am using the Chinese certificate provider WoSign. Before you stop reading just because of this, consider that their ONLY involvement in this is procedure to sign your public key. They never see your sensitive private key, which is created on your computer and never leaves your control at any time.

Didn’t you know that your Windows computer most likely already trusts WoSign Root CA? Read my short blogpost Which Root CAs do you really trust?

If you want to verify that your client really trusts certificates obtained using this guide, please visit this link: https://test.tomdemo.se  You should not receive any certificate warnings. If you do, please let me know what browser/device you are using via the comment section below.

There are other ways to obtain free SSL certificates, such as Let’s Encrypt and StartSSL, but at the moment I prefer WoSign, since they allow you to add 5 SAN attributes for free.

Ok, lets go.

Create the key pair

The best option, to reduce the number of steps and also the risk of exposing the private key of the certificate, is to create the key pair directly on the computer that will actually use the certificate. But you can export the certificate and private key when you are done, so you can use any trusted Windows computer for the enrollment process. If you plan to use multiple SAN names, it’s likely that you must export the certificate to other computers anyway.

Normally you specify attributes when creating the key pair and the corresponding CSR (certificate signing request), such as Subject, Validity Time, SAN, Key Usage and so on, but WoSign will ignore all attributes in the CSR, and only use the public key. You specify the attributes in the enrollment flow at WoSign instead.

Certificate requests can be created in many ways, in this guide I am using the MMC snap-in.

Run certlm.msc to open the local certificate store for the computer.

Right-click Personal / Certificates, expand to All Tasks / Advanced Operations and click Create Custom Request:


On the Before You Begin page, click Next:


On the Select Certificate Enrollment Policy page, click Next:


On the Custom Request page, select (No template) Legacy key, make sure that the Request format is PKCS #10, and then click Next:
Note: I choose Legacy key for compatibility reasons, you might want to choose CNG key if you are sure that your services are compatible with this.


On the Certificate Information page, click on the down-arrow next to Details and then click Properties:


Click the Private Key tab. Click the down-arrow next to Key options and change the key size to 2048. Optionally select Make private key exportable (which I recommend, see the update at the bottom of this post why), then click OK:
Note: No other certificate information needs to be entered at this point.


Back at the Certificate Information page, click Next

On the Where do you want to save the offline request? page, enter a path and filename for your certificate signing request, make sure the File format is Base 64, then click Finish:


Now we have created a key pair and a Certificate Signing Request.


Create the certificate at WoSign

Direct your browser to the following URL:

Add the domain names you want to have a publicly trusted SSL certificate for. Make sure that the cost remains zero (US$0):


You may add additional domain names and also extend the certificate validity to 3 years, but that means that the certificate will no longer be free, and that is not the topic for this blogpost. Note that the cost is not updated until you click outside of the Domain name textbox.

Notice that I added domain names from two different domains, tomdemo.se and mssec.se, just to show how domain verification looks in this scenario.

Now you have to either create an account or login with an existing one. WoSign helps you determine if you created an account with them when you fill in your email address. I use a dedicated email address for this, but I have never received any email from them after enrolling the certificate.

If you have an account, it will look like this (you need to click outside of the Email textbox to trigger the check):


Click on the link forget password? to reset your password (it should be forgot, I know).

It you have not registered an account with the email you provide, you will instead be given the option to Send Verification Email:


Click the Send Verification Email button:
Note: This will start a 30 second countdown, but don’t panic, the only thing that will happen when the countdown reaches zero is that you will have the option to resent the verification code.


The verification email might take a 5-10 minutes to show up in your Inbox, do not request a new verification to fast.

Copy the verification code from the mail that you eventually receive:


Paste the Verification code in the field Verification code.

Enter an Account password for your WoSign account.

Enter the captcha. If it is hard to make out the characters you may click change it to get a new one (it will not reload the page or remove the other info you have entered).

Check the I have read and agree checkbox (you read the agreement, right?  Smile)


Click the Submit request button.

You are now taken to a page that looks like this:’’


If you see Chinese characters, click on the link called ENGLISH at the top of the webpage.

At this point we have created an “order” for a free certificate and supplied the names we want in the certificate, but we have yet to verify that we own the domains and to supply the public key we created earlier.

Click on the link Domain Control Verification.

We can now prove that we own the domain by either using special email accounts (that hopefully are reserved to admins of the domain):


or by placing a special file on the webserver:


I will continue with email verification in this guide.

Select the email address you have access to and click the Click to send verification Email button. A countdown similar to the one when we created the WoSign account appears. Wait until you receive the verification email, that will look like this:


The sender is autovalidation@wosign.com, remember to also check your spam mailbox.

Enter the verification code in the Verification Code field. Also complete the captcha and then click Verify Now:


If the verification succeeds, you will be prompted to verify the next domain (assuming that you entered different domains when requesting the certificate):


The verification of the next domain looks identical, so I do not show those steps here.

Note that once you verified your domain you can later request new certificates (within the same domain) without the verification step, which makes it much easier.

When all domains are verified you are taken to the Generate the Certificate Signing Request(CSR) page. This is a bit misleading, since we do not want the generate the CSR at this point, we want to submit the CSR we have already created.

Open the previously created CSR-file in notepad and copy all of the text:


Make sure that Option 2:Submit the CSR is selected. If you choose Option 1, WoSign will create the public and private key for you, and we do not want this.

Paste the text content of the csr-file in the textbox that says Please paste Certificate Signing Request.

Click Check CSR and make sure the text box on the right says

Encryption algorithm:RSA
Key length:2048bite     (yeah, should be “byte”)


Remember that the file only contains the public key, the sensitive private key is still safely stored on your computer that created the request.

Click the Submit button.

Now your certificate should be issued. Click on the link in the blue box to download a zip file containing your signed certificate:
Note: You will also get an email saying that the certificate is ready for collection. You can ignore this mail.


You will get this message:


This warning is only relevant if WoSign generated the private key and the CSR, the public part of the certificate will be available for download when you login with your WoSign account:


The downloaded zip file contains 4 other zip files, with the certificate and it’s issuers certificates in formats optimized for 3 different webservers:

for Apache

for IIS

for Nginx

for Other Server


Import the certificate

The last step is to import the signed certificate to the server that created the CSR.

Extract the file 3_user_adfs.tomdemo.se.crt.

On the server that created the CSR, run certlm.msc to open the local certificate store for the computer.

Right-click Certificate Enrollment Requests / Certificates and click All Tasks / Import:


Note: There are other ways to import a certificate, but this way makes sure that the waiting private key and the imported certificate are correctly associated.

On the Welcome to the Certificate Import Wizard page, click Next:


Browse and select to the file 3_user_adfs.tomdemo.se.crt:


Change to Automatically select the certificate store based on the type of certificate and click Next:


On the Completing the Certificate Import Wizard page, click Finish:


You should see the message The import was successful:


You now finally have a publicly trusted SSL-certificate (with up to 5 domain names), all without paying a single penny:


If you export the certificate you will have the option to include the private key (if you selected this option earlier):


Here are some screenshots of the certificate:





Known issue with IIS

If the certificate is flagged as untrusted by clients when using the certificate in IIS, try importing the following certificates – that are included in the zip file – into the Intermediate Certification Authorities / Certificate (only on the IIS server itself!):

  • 1_cross_Intermediate.crt
  • 2_issuer_Intermediate.crt


The issue here is that when a client initiates a SSL handshake, IIS gives the client all certificates in the certificate path, not only the server certificate. If the Issuing CA is not present in the local store (on the IIS server) it does not sent it to the client. It doesn’t matter that both IIS and the client easily could locate the Intermediate certificate using the AIA attribute in the server certificate.

Note that no changes needs to be made on clients and that the warning it not because the certificate is not trusted, it is that the client cannot find the intermediate CA certificate and therefore cannot identify what Root CA certificate to verify trust for. When it is added to the IIS and given to the client at the SSL handshake, the client “realize” that they trusted the server certificate all along.  Smile

Phew, this became a much bigger blog post than I first imagined. I hope you found it useful!

=== Update 2016-06-03 ===

Some services has issues with the certificate, such as TMG (says Incorrect Key Type) and Exchange OWA (you are returned to the login page when logging in).

Assuming that you made the private key exportable in the first place you can solve this by exporting the certificate and it’s private key to a pfx, import that pfx into Firefox’s certificate store and then do a backup of that certificate in Firefox. This will create a new pfx, that when imported will work with TMG and Exchange OWA.

Note that the issues are not because the certificate is CNG, which many seems to suggest. Remember that we chose Legacy key a few steps up (which is the same as CSP) and not a CNG key:


Posted in Certificates, PKI | Tagged , , , | 6 Comments