Hello everyone, I was silent for some time and today I'm back with some news.

It's official: AD CS ain't dead! On May 12, Active Directory Certificate Services (AD CS) got first PQC algorithm support, three flavors of ML-DSA:

• ML-DSA-44 (10,496 bits)
• ML-DSA-65 (15,616 bits)
• ML-DSA-87 (20,736 bits)

In fact, PQC already was in BCrypt/NCrypt for some time, just not fully exposed through CNG, so you didn't see it in cryptographic provider properties.

PQC support in AD CS is added only to Windows Server 2025, starting with 2026.05B update (KB 5087539). As far as I know, there are no plans to update CertOCM (Certificate Organization Component Manager, or simply AD CS installer) for previous Windows Server, such as 2019 and 2022.

In this post, I'm not going to talk about PQC specifics in this post (I hope next time), I'll just focus on what new we will find in AD CS, certificate templates, certificate enrollment.

Hello world! Here is the fifth and the last part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

• Part 1 - Introduction
• Part 2 - Design Strategies
• Part 3 - Configuration Components
• Part 4 - Recipe Guide
• Part 5 - Partitioned CRL API and Events (current)

In this post, I will cover new programming APIs changes in existing API and Windows Event Log events associated with partitioned CRLs.

Partitioned CRL APIs

All programming APIs refer to ICertRequest2 and ICertAdmin2 COM interfaces, which are main interfaces to interact with AD CS servers.

New APIs

 ICertRequest2/ICertAdmin::GetCAProperty received several new PropID parameters that allow to access per-partition CRLs and their publishing statuses.

All new APIs work only when partitioned CRLs are globally enabled. If partitioned CRLs are not enabled, all mentioned below APIs will fail with HRESULT=0x80070057.

• PropID = 0x0000002E (CR_PROP_CRLPARTITIONCOUNT) "CRL Partitions Count"

Hello S-1-1-0, here is the fourth part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

• Part 1 - Introduction
• Part 2 - Design Strategies
• Part 3 - Configuration Components
• Part 4 - Recipe Guide (current)
• Part 5 - Partitioned CRL API and Events

In previous post, I provided information about partitioned CRL design, description and configuration commands. This blog post will summarize this knowledge by providing quick guides to configure all partitioning strategies (A1, A2, B1 and B2) which you can use as a recipe template. Refer to Part 2 in this series for additional information aboud different CLR partitioning strategies.

Recipe Guide

This section will include configuration required by all subsequent sections.

Command examples include CRLPublicationURLs config setting, which is provided as an example to point how <CRLPartitionIndex> variable is defined and new flags in front of HTTP URL. Adapt URLs to match your environment.

Hello world! Here is the third part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

• Part 1 - Introduction
• Part 2 - Design Strategies
• Part 3 - Configuration Components (current)
• Part 4 - Recipe Guide
• Part 5 - Partitioned CRL API and Events

In this part, I will explain Partitioned CRL configuration elements and their behavior.

In general, partitioned CRL consist of several configuration elements that MUST be configured in single batch. CA service will fail if any of mandatory configurations is not complete. Here is the list of all configuration options with indication which are mandatory:

• Global enablement switch (mandatory)
• Design strategy type
• CRL partition count (mandatory)
• Partition assignment algorithm
• CDP extension configuration (mandatory)
• Partition suspension

The following sections will go through each configuration element.

Hello S-1-1-0, here is a second part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

• Part 1 - Introduction
• Part 2 - Design Strategies (current)
• Part 3 - Configuration Components
• Part 4 - Recipe Guide
• Part 5 - Partitioned CRL API and Events

In this part, I will explain Partitioned CRL strategies and their behavior. I will focus on partition zero handling and partition assignment randomization.

Partitioned CRL Concept

Just a brief recap of previous post: revoked certificates are uniformly (or close to it) distributed across different partitions. The following figure shows basic partitioning concept with five partitions: