All Postings (92)

2017

Taking stock! Physics

Subversive? Physics?

My Philosophy!

Scripts Beget Scripts

2016

Theoretical Physics. A Hobby.

Self-Referential Poetry

Silent Online Writing

'Are You Still Doing PKI?'

My Philosophy (?)

Impact of physics on my life

Not much happened in 2015

2015

Unspeakable

Self-Poetry

Farewell Posting ...

Hacking away...

Web Project - Status

We Interrupt ...

Poetry from Poetry

PKI-Status-Update

Life and Work

Definition: 'Subversive'

2014 in Books

Physics Postings

Engineering Postings

True Expert

2014

2014 - a Good Year

Physics or Engineering?

Engineering Links

What Is Art?

Bio

PKI FAQ

Google's Poetic Talents

Certificates and Heat Pumps

Nr. 5: A Mind-Altering Experience

Technet postings

WOP!

Pink Spaceship

radices = Roots!

IT Postings

Web Projects

Life, the Universe, and Everything

Uh-oh, No Posting in March

PKI Resources

PKI Issues

Subversive Work

Spam Poetry

A Career 'in Science'

Writing

On the Shoulders of Subversive Giants

Search Term Poetry

Facebook Art

2013 in Books

2013

Explain, Evaluate, Utilize

Technology

About Life-Form Elke Stangl

elkement and This Site

No. 3: Internet Apocalypso

Retrospection

Newsletter Resurrection

2012

For Free

Subversive Yearly Report

Is My Life a Cliché?

Indulging in Cliché

Torture Turning Trivia

Intermittent Netizen

Knowledge Worker...

Profile

Physics on the Fringe

Graduation Speech

The Element is Back!

Offline

Physics Links

2011

Not Funny

Calendar and Magic

Expert

In Need of a Deflector

About to Change

A Nerd's Awakening

For the Sake of Knowledge

2008

Profession Or True Calling?

No. 2: On Self-Reference

I Have No Clue About Art

Netizen

2007

The End

No. 1: On Subversion at Large

2005

Emergency Exit

Modern Networker

2004

The Scary Part

Exploring the Work Space

2003

Instead of a CV

Favorite Books

2002

Elke was here

Postings in Technet Forums

(elkement. Last changed: 2015-04-01. Created: 2014-07-29. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

In 2014 I had resumed posting to security forums in the Microsoft Technet community. I have been using these threads as my personal knowledge base.

Here is a feed on recent activity. Seems my mission has come to an end by the end of 2014!

A list of all my threads is also generated automatically but I am hand-curating them here again.

I am not using the original thread title but another one that makes me remember the discussion more easily; and I add a short summary. The date is the date of my first reply in this thread.

(Last changed: April 1, 2015. Added last threads I contributed to in December 2014.)

Insert some years during which I was just busy doing PKI but not contributing to the community. I try to compensate for that now!

  • [2009-07-16] What is PKI compatibility? It depends on what is compared: Certificates and their fields, key stores and access methods, request structure, protocols to enroll for certificates,...
  • [2009-07-16] Notification e-mails sent by the SMTP Exit module contain variables instead of values. Might be an issue of using the variables in a scripts versus running the commands interactively. In a script the % needs to be masked by another %.
  • [2009-07-16] Windows CA and redundancy: Does a second CA help? Templates are redundant in AD anyway. A second CA does not help as it uses a different key and cannot sign CRLs on behalf of a failed first CA automatically. For risk mitigation the CRL validity period should be configured for a few days or whatever is needed to detect and fix an issue in the worst case. Redundancy could be achieved with fail-over clustering.
  • [2008-11-09] Planning fail-over clustering for a CA, in particular how to migrate an existing non-clustered CA into the cluster. Clustering is only supported with HSMs(*). As for the names it can be done but the legacy of LDAP objects and HTTP URLs that contain the old machine name makes that rather messy. Suggestion: Use a new clustered CA setup from scratch with proper names and create a long-lived CRL for the existing CA before retiring it.
    (*) Learned in 2014 that this is not true (anymore?)
  • [2008-10-01] How to configure CRL URLs for offline CAs. It seems either a CRL has not been copied to the CRL server denoted in the CDP or the defaults have been used and the URL points to the Root CA itself. Brief outline of process.
  • [2008-09-23] Variables in CA configuration (starting with %) do not get replaced by their values. Turned out to be a copy and paste error as the lines have been copied to the command window directly.
  • [2008-09-19] Limit PKI usage to one domain - how to set permissions. The CA is a forest resource but permission for domain-specific groups can be set at the CA (Request Certificates right), or permissions on all templates could be limited to groups from this domain
  • [2008-09-18] Time zones and clock skew. Date formats in certificates are in Universal Time format including time zone information. There is only a clock skew of 10 minutes applied by default to avoid false not-yet-valid messages.
  • [2008-07-28] Checking and changing validity periods of CRLs as the default period of a week is too short for a typical Root CA. Overview on how to set the validity period in Properties of Revoked Certificates and - optionally - overlap by editing the registry.
  • [2008-07-28] Requirements for macro signing certificates. I suggest to time-stamp macros as otherwise (even if signed) signature would be considered invalid when the signer's certificate has been expired.
  • [2008-07-26] Certificate services simply fails to start after setup. Not clarified but another user indicated that in his certocm.log a permissions error was logged when he saw the same error - using the domain admin resolved it.
  • [2008-07-26] Sending certificate requests to an untrusted forest. Ideas: Automate the creation of requests and let a service user account from the CA forest fetch the requests, send them to the CA, and collect the certificates. Alternative: Simply use an AD user of the forest where the CA resides and use the certsrv web application to create keys and requests.
  • [2008-07-12] Autoenrollment issues - an XP client does not autoenroll through manual enrollment works and the event log says that Autoenrollment has been completed successfully. Potential root causes: 1) There is already a certificte of that type in the store and the setting Do not re-enroll if a duplicate certificate exists in AD has been set 2) Weird but known issue with credential roaming sometimes falsely archiving certificates.
  • [2008-07-01] Wild-card certificates - feasible but not recommended as there is a slight chance clients may not recognized the wild-card character.

Personal website of Elke Stangl, Zagersdorf, Austria, c/o punktwissen.
elkement [at] subversiv [dot] at. Contact and Legal Notice