(This compilation of links is static - no more amendments planned.)

PKI FAQ

(elkement. Last changed: 2014-12-16. Created: 2014-10-06. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

This is a compilation of threads in Technet forums, organized by topic.

Chain validation and revocation checking issues

Chaining and hierarchies

Time validity

Revocation lists

(For issues with SCEP and EFS, see the sections on applications at the bottom of this page.)

Windows PKI design, implementation, and maintenance

PKI AD integration and clean-up

CA migration, backup and restore and high-availability

Scripts and automation

Certificate generation and deletion (in personal stores)

Searching the CA's databased and expiration notifications.

PKI configuration

Third-party CAs, compatibility

Windows PKI components and features - and related troubleshooting

Web Enrollment (ASP pages)

Simple Device Enrollment Protocol (SCEP) AKA Network Device Enrollment Service (NDES)

Windows OCSP: Errors and Pitfalls

  • White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
  • /ocsp/ application directory is not created before the role service had been configured. However, revocation configurations can be created before using the MMC - this causes and HTTP error 404 despite the Online Responder Management reports 'all green'. [ref]
  • Third-party validator (Axway) causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator. [ref]
  • OCSP Responder issues: Misunderstanding about how to use one Responder for different CAs, and how an array should work. Additional interesting issue: Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation!
  • OCSP design: Use a dedicated OCSP server?

HTTPS-based enrollment via CEP/CES

(Auto-)enrollment troubleshooting

Kerberos troubleshooting

Certificate templates

Pre-requisites

Certificate and request attributes and extensions, and how to create requests

Certificate Subject Name and Subject Alternative Name, and tools and processes for CSR creation. Overlap with section on Scripts and automation.

OIDs

Hash algorithms

Cross-forest certificate enrollment and multiple domains.

PKI Applications

SCEP is listed unter Windows PKI components.

Logon against AD

SSL web servers

See also the section on Certificate and request attributes and extensions above.

LDAPs, DC certificates

  • Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
  • Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
  • Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.

RADIUS / NPS and 802.1x

Exchange Server

Outlook and SMIME

EFS - Encrypting File System

BitLocker

SAP

Third-party LDAP clients

RDP / RDS

CISCO VPN

Windows VPN client

IPsec

Office Macro and document signing

Key stores and cryptographic providers

Crypto general

Software stores

Using an HSM as key store

Silent waters. Northwest of Tenerife, 2004.

Personal website of Elke Stangl, Zagersdorf, Austria, c/o punktwissen.
elkement [at] subversiv [dot] at.