All Postings (92)

2017

Taking stock! Physics

Subversive? Physics?

My Philosophy!

Scripts Beget Scripts

2016

Theoretical Physics. A Hobby.

Self-Referential Poetry

Silent Online Writing

'Are You Still Doing PKI?'

My Philosophy (?)

Impact of physics on my life

Not much happened in 2015

2015

Unspeakable

Self-Poetry

Farewell Posting ...

Hacking away...

Web Project - Status

We Interrupt ...

Poetry from Poetry

PKI-Status-Update

Life and Work

Definition: 'Subversive'

2014 in Books

Physics Postings

Engineering Postings

True Expert

2014

2014 - a Good Year

Physics or Engineering?

Engineering Links

What Is Art?

Bio

PKI FAQ

Google's Poetic Talents

Certificates and Heat Pumps

Nr. 5: A Mind-Altering Experience

Technet postings

WOP!

Pink Spaceship

radices = Roots!

IT Postings

Web Projects

Life, the Universe, and Everything

Uh-oh, No Posting in March

PKI Resources

PKI Issues

Subversive Work

Spam Poetry

A Career 'in Science'

Writing

On the Shoulders of Subversive Giants

Search Term Poetry

Facebook Art

2013 in Books

2013

Explain, Evaluate, Utilize

Technology

About Life-Form Elke Stangl

elkement and This Site

No. 3: Internet Apocalypso

Retrospection

Newsletter Resurrection

2012

For Free

Subversive Yearly Report

Is My Life a Cliché?

Indulging in Cliché

Torture Turning Trivia

Intermittent Netizen

Knowledge Worker...

Profile

Physics on the Fringe

Graduation Speech

The Element is Back!

Offline

Physics Links

2011

Not Funny

Calendar and Magic

Expert

In Need of a Deflector

About to Change

A Nerd's Awakening

For the Sake of Knowledge

2008

Profession Or True Calling?

No. 2: On Self-Reference

I Have No Clue About Art

Netizen

2007

The End

No. 1: On Subversion at Large

2005

Emergency Exit

Modern Networker

2004

The Scary Part

Exploring the Work Space

2003

Instead of a CV

Favorite Books

2002

Elke was here

(This compilation of links is static - no more amendments planned.)

PKI FAQ

(elkement. Last changed: 2014-12-16. Created: 2014-10-06. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

This is a compilation of threads in Technet forums, organized by topic.

Chain validation and revocation checking issues

Chaining and hierarchies

Time validity

Revocation lists

(For issues with SCEP and EFS, see the sections on applications at the bottom of this page.)

Windows PKI design, implementation, and maintenance

PKI AD integration and clean-up

CA migration, backup and restore and high-availability

Scripts and automation

Certificate generation and deletion (in personal stores)

Searching the CA's databased and expiration notifications.

PKI configuration

Third-party CAs, compatibility

Windows PKI components and features - and related troubleshooting

Web Enrollment (ASP pages)

Simple Device Enrollment Protocol (SCEP) AKA Network Device Enrollment Service (NDES)

Windows OCSP: Errors and Pitfalls

  • White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
  • /ocsp/ application directory is not created before the role service had been configured. However, revocation configurations can be created before using the MMC - this causes and HTTP error 404 despite the Online Responder Management reports 'all green'. [ref]
  • Third-party validator (Axway) causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator. [ref]
  • OCSP Responder issues: Misunderstanding about how to use one Responder for different CAs, and how an array should work. Additional interesting issue: Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation!
  • OCSP design: Use a dedicated OCSP server?

HTTPS-based enrollment via CEP/CES

(Auto-)enrollment troubleshooting

Kerberos troubleshooting

Certificate templates

Pre-requisites

Certificate and request attributes and extensions, and how to create requests

Certificate Subject Name and Subject Alternative Name, and tools and processes for CSR creation. Overlap with section on Scripts and automation.

OIDs

Hash algorithms

Cross-forest certificate enrollment and multiple domains.

PKI Applications

SCEP is listed unter Windows PKI components.

Logon against AD

SSL web servers

See also the section on Certificate and request attributes and extensions above.

LDAPs, DC certificates

  • Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
  • Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
  • Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.

RADIUS / NPS and 802.1x

Exchange Server

Outlook and SMIME

EFS - Encrypting File System

BitLocker

SAP

Third-party LDAP clients

RDP / RDS

CISCO VPN

Windows VPN client

IPsec

Office Macro and document signing

Key stores and cryptographic providers

Crypto general

Software stores

Using an HSM as key store

Silent waters. Northwest of Tenerife, 2004.

Personal website of Elke Stangl, Zagersdorf, Austria, c/o punktwissen.
elkement [at] subversiv [dot] at. Contact and Legal Notice