Tag Archives: PKI

Require SSL on NDES admin site via PowerShell

Best Practices from Microsoft when deploying Network Device Enrollment Service (available here) states: “Always set up the administrator site with SSL-only configuration. (Disable http access to this site.)” This is to protect the sensitive One Time Passwords that are transmitted … Continue reading

Posted in CA, Certificates, NDES, PKI, SCEP | Tagged , , , | 6 Comments

Quick access to the Certificate snap-ins

Are you also opening the local certificate snap-ins by first running mmc.exe and then adding the Certificate snap-ins manually? I’ve done that sooo many times that I’ve gotten pretty fast at it. A faster way is to type certmgr.msc for … Continue reading

Posted in Certificates, PKI | Tagged , , , | Leave a comment

Configure AD CS to use a static DCOM port

Normally when you start a Windows CA server it allocates a random high port number for the service to listen on. When clients want to enroll certificates they find this dynamic port number by asking the CA Server’s RPC Endpoint … Continue reading

Posted in Okategoriserade | Tagged , , , , , | 8 Comments

Can disabling Delta CRL on a CA cause problems?

Imagine that you are using both Base CRL and Delta CRL, but you want to stop using Delta CRL and only use Base CRL going forward. Could this cause any problems in revocation checking if you do not carefully plan … Continue reading

Posted in CA, CRL, PKI, smart card | Tagged , , , | 2 Comments

Delete local CRL cache in Windows

Windows automatically caches retrieved CRLs and OCSP reponses. The advantage is that it speeds up revocation checking and uses less network bandwidth. The disadvantage is that clients will not detect new CRLs until the local cache expires. Normally you should … Continue reading

Posted in Okategoriserade | Tagged , , , , | 2 Comments

Which Root CAs do you really trust?

When I ask people which Root CAs they trust, they usually show me the list in Trusted Root Certification Authorities. Like this one, from a freshly installed Windows Server 2012: But that is actually not the entire truth. If I … Continue reading

Posted in PKI | Tagged , , , , , , | 2 Comments