A time ago I quoted a Windows PKI team announce about SHA1 Deprecation Policy by Microsoft.

In short, Microsoft will discontinue SHA1 signatures in SSL and code signing certificates by January 1 2017. This article raised a lot of questions in TechNet forums and these questions shows policy misunderstanding by users. In this article I want to focus on key moments of the policy, common myths and the second part will show the general guidance for moving toward SHA2.

Today I released SSL Certificate Verifier tool to CodePlex. There are plans to enhance the tool (as per customer requests), so I decided to publish it online, rather than maintaining it here.

>> SSL Certificate Verifier <<

SYPTOMS

Consider the following scenario: you are dumping CA database by using certutil, PowerShell or any other tool that utilizes ICertView2 interface and at some point you receive the following error

Certutil:

• CertUtil: -view command FAILED: 0x80070006 (WIN32: 6)
  CertUtil: The handle is invalid.

PowerShell (when using ICertView interface):

• CEnumCERTVIEWROW::Next: The handle is invalid. 0x80070006 (WIN32: 6)

CAUSE

This error can be caused because of handle expiration. There are two functions that control database access handle validity:

1) When the connection is opened by calling ICertView2::OpenConnection the next action must be taken within a ViewIdleMinutes period. If no action (OpenView method call) is taken within this period, the handle is released. By default, ViewIdleMinutes is 8 minutes.

2) When ICertView::OpenView method is called, the handle is valid for the period specified in the ViewAgeMinutes. If the CA database dump operation exceeds this parameter, the handle is forcedly released and the error is returned. By default, ViewAgeMinutes is 16 minutes.

STATUS

This is by design.

SOLUTION

If there is a need to extend handle validity for large output, you can increase ViewAgeMinutes property by modifying CA configuration:

1. Log on to CA server with local administrator permissions;
2. Open elevated command prompt;
3. type the following commands in the command prompt:

   certutil –setreg CA\ViewAgeMinutes X

   where X – is a number that represents handle validity in minutes.
4. Restart certificate services.

WORKAROUND

No workaround is available.

APPLIES TO

• Active Directory Certificate Services (all versions)

In the previous post we explored the techniques used to create a common revocation configuration for use with Enterprise CA.

Today we will discover another option, when you create revocation configuration for external (Standalone or 3rd party) CA. Steps to create such configurations are almost the same and differ only in certain parts.

Creating revocation configuration for Standalone CA

Consider the following scenario: you have a Standalone CA which is not connected to a network. You need to create revocation configuration for this CA. Signing certificate is issued (out of band) from that CA.

Hello folks, sorry for delayed post, one of my SSD disk suddenly dead and I was busy with data recovery.

In the previous post we discovered main interfaces and methods to retrieve Online Responder array settings and revocation configurations. Today we will learn how to use them to delete existing revocation configuration and add a new one.

Deleting existing revocation configuration

In the previous post you noticed that my OCSP server has configured one revocation configuration named “test”. Consider when we don’t need this particular configuration (say, associated CA was decommissioned). We can delete it by calling IOCSPCAConfigurationCollection::DeleteCAConfiguration method and applying changes by calling IOCSPAdmin::SetConfiguration method.