Hello everyone, I was silent for some time and today I'm back with some news.

It's official: AD CS ain't dead! On May 12, Active Directory Certificate Services (AD CS) got first PQC algorithm support, three flavors of ML-DSA:

• ML-DSA-44 (10,496 bits)
• ML-DSA-65 (15,616 bits)
• ML-DSA-87 (20,736 bits)

In fact, PQC already was in BCrypt/NCrypt for some time, just not fully exposed through CNG, so you didn't see it in cryptographic provider properties.

PQC support in AD CS is added only to Windows Server 2025, starting with 2026.05B update (KB 5087539). As far as I know, there are no plans to update CertOCM (Certificate Organization Component Manager, or simply AD CS installer) for previous Windows Server, such as 2019 and 2022.

In this post, I'm not going to talk about PQC specifics in this post (I hope next time), I'll just focus on what new we will find in AD CS, certificate templates, certificate enrollment.

In the previous post we explored the techniques used to create a common revocation configuration for use with Enterprise CA.

Today we will discover another option, when you create revocation configuration for external (Standalone or 3rd party) CA. Steps to create such configurations are almost the same and differ only in certain parts.

Creating revocation configuration for Standalone CA

Consider the following scenario: you have a Standalone CA which is not connected to a network. You need to create revocation configuration for this CA. Signing certificate is issued (out of band) from that CA.

Hello folks, sorry for delayed post, one of my SSD disk suddenly dead and I was busy with data recovery.

In the previous post we discovered main interfaces and methods to retrieve Online Responder array settings and revocation configurations. Today we will learn how to use them to delete existing revocation configuration and add a new one.

Deleting existing revocation configuration

In the previous post you noticed that my OCSP server has configured one revocation configuration named “test”. Consider when we don’t need this particular configuration (say, associated CA was decommissioned). We can delete it by calling IOCSPCAConfigurationCollection::DeleteCAConfiguration method and applying changes by calling IOCSPAdmin::SetConfiguration method.

Hello S-1-1-0, CryptoGuy is back again. Recently I spent a lot of time on PowerShell Cmdlet Help Editor enhancement and didn’t had enough time to write new posts. Now I’m making a break and will continue blogging. Today I open a post series about managing Microsoft Online Responders (OCSP) with PowerShell.

Underlying API

Microsoft implemented OCSP server management via a number of COM interfaces which are directly instantiable:

• IOCSPAdmin (progID: CertAdm.OCSPAdmin)
• IOCSPPropertyCollection (progID: Certadm.OCSPPropertyCollection)

Getting basic information

At first we will start with service availability by calling IOCSPAdmin.Ping method:

Hello S-1-1-0 again, I'm back!

In the first part we discovered basic OCSP requests and responses. Today's stories:

• Nonce
• Service Locator

Nonce

By default, Online Responder may pre-cache OCSP response for particular certificate, especially if the certificate is used very frequently (for example, SSL certificate at login.live.com) until it (response) is expired. This reduces server load, because there is no need to sign the same response for each incoming request. And this behavior is recommended by RFC5019. Here is an example for StartSSL/StartCom SSL certificate: