Windows PKI team always knows how to make our live harder :). Yesterday Shay Levy pointed me to one interesting thread: http://www.powergui.org/thread.jspa?messageID=47514

Basic intro: this attribute is used by Credential Roaming Service. By default if user uses roaming profile, credentials (and personal certificates) don’t roam! This means that user can use the same profile on other computers, but will not able to use certificates (i.e. decrypt files, mails, sign documents and so on). Though if certificate autoenrollment is enabled, user will enroll new certificates. But they will remain on that computer only. The one possible way to work around this issue is to use smart cards. But this is quite expensive solution. With Credential Roaming Service all certificates will roam with user. However this is not pretty secure solution, because domain administrators will have an access to user private keys. However at certain point domain users must trust administrators, so this solution is enough for many scenarios with roaming profiles.

Several days ago I have worked on one interesting issue:

Enterprise CA running on a Hyper-V virtual machine. Due of maintenance plans host server was rebooted. In the next day users were unable to logon to their workstations by using smart cards due of the error: A revocation check could not be performed for the certificate. Password users were unable to connect to terminal servers by using RDP-TLS protocol due of the same error.

Update 04.08.2018: clarified behavior on timestamping certificate revocation

Hello again! Today I would like to discuss about digital signatures and signature usage questions.

A very short introduction to digital signatures

As you know the signature guarantees that the electronic document wasn't changed after signing process. This is a useful feature for sensitive data that may be changed during transfer over network. For example, Internet. There is one well-known attack named Man In The Middle (MITM). In MITM, malicious user intercepts document change some data and transfer to the original recipient. If the document is originally signed (by sender) the recipient will attempt to validate document signature and will see that the document was changed during data transmission. This would invalidate the document.

In real world digital signatures are used very often and use asymmetric encryption/decryption processes.

Update 22.10.2017: updated use-case recommendations based on best practices.

Update 27.06.2018: added commands

In this article I will discuss about Root CA certificate renewal with new and existing key pair. At first we discuss about CA certificate renewal with existing key pair.

Renewal with existing key pair

When you renew CA certificate with existing key pair, nothing important in certificate is changed. The certificate will contain the same public and private key. As the result all previously issued certificates will chain up to new CA cert without any changes. You just replace old CRT file in AIA download locations. In addition, new CA cert ValidFrom (NotBefore) field will contain the value when existing CA key pair was generated. For example, old CA cert has ValidFrom (NotBefore) = 08.10.2000 and ValidTo (NotAfter) 08.10.2010. When you renew CA cert with existing key pair new certificate will have following values: ValidFrom (NotBefore) 08.10.2000 and ValidTo (NotAfter) 08.10.2020. In other words this renewal just increases current CA certificate validity period. In addition new CA cert introduces one new extension: Preious CA certificate hash that will contains preious certificate Thumbprint extension value. And changes another extension: CA Version. Let's take a look to a CA Version extension.

In one of my recent posts I have posted a bug in AppLocker path rule processing (see: The case of another AppLocker bug). I have opened Technical Support case and AppLocker product group was able to repro the issue and provide a temporary workaround. Here is official Microsoft's response:

We've investigated the issue and it appears to be a problem in the implementation of case-insensitive path comparison for characters outside the ASCII range. Fortunately it seems there is a workaround for the time being. If, in Local Security Policy, one specifies paths in all-uppercase characters, including uppercasing any non-ASCII characters as appropriate, then the rule will match properly. Concretely, for your example 'Mapīte', putting that string with lowercase ī in a rule's path in Local Security Policy will not work; however putting the string 'MAPĪTE' with uppercase Ī does seem to work.

Therefore if path in the path rule contains non-english characters (outside the ASCII 1-127), write these characters in upper case. Unfortunately you cannot use PowerShell for that conversion (by using String.ToUpper() method), because console host doesn't display diacritic characters, so you will have to do this task manually.