Disclaimer: this article is a rewritten, updated and clarified version of the article posted by John Morello: How EffectiveDate (thisupdate), NextUpdate and NextCRLPublish are calculated.

This article is also available on TechNet Wiki.

This article describes how CA server calculates estimated CRL validity. By default, CRL validity is configured in a safe manner, so everything works without administrator interaction. However, if you are an experienced PKI administrator and plan custom CRL validity, it is important to understand how validity is calculated.

Time by time I receive questions about difference between current time on CA server and actual signing time which is included in the NotBefore (Valid From) field in the issued certificates. Most users notice that Valid From field is set 10 minutes prior to current time and attempts to find possible issues with time synchronization.

Don’t worry, it is expected behavior. By default Microsoft CA sets Valid From 10 minutes before current time. To explain this we need to recall time difference allowed in Active Directory domains. As you may know, Key Distribution Center (KDC) allows time difference between KDC time and remote service that utilizes Kerberos up to 5 minutes (by default) in each direction.

And now consider the following scenario: we have three servers: remote service, KDC and CA server. Current time at remote service is 10:00, at KDC 10:05, at CA 10:10. From KDC perspective both, CA and remote service are time-synchronized. It is easy to see that if CA server receives certificate request, the Valid From is set to: 10:10 minus 10 minutes = 10:00. This guarantees that issued certificate can be immediately used for authentication at remote service. Otherwise there could be issues that remote service considers presented certificate as not yet valid.

If you have configured custom time difference between KDC and clients, you should consider to configure your CA accordingly. Clock skew on CA server must be set as a double allowed time difference for Kerberos. The following command can be used to set new clock skew value:

certutil –setreg ca\ClockSkewMinutes 20

where 20 is new clock skew value. As always, you need to restart certificate services to apply changes:

net stop certsvc && net start certsvc

Hello S-1-1-0, Crypto Guy is on a failboat board again.

Sometimes it is useful to export a certificate template to a file for future use. For example:

• for custom certificate template backup;
• if you have multiple AD forests, you can transfer configured certificate templates between forests;
• share custom certificate template with partners;
• share certificate template when you are making a online learning session;
• etc..

Till Windows Server 2008 R2 release there was no supported way to export (or serialize) certificate template and move it out of band between two forests. With Windows Server 2008 R2 there was the only publically described way to transfer templates between two forests: AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2. This whitepaper includes a PKISync.ps1 script (the script was written by a man who first time faced PowerShell, he-he) which copies certificate templates along other AD data between two forests. The downside of this approach is that it requires a two-way trust between forests and performs data transfer online.

Recently I wrote a sample function which allows security administrators to dump trusted root certificates from Microsoft web site.

Microsoft maintains a number of predefined trusted root CAs which are members of Microsoft Root Certificate Program. Here are several useful links on TechNet wiki:

• Introduction to The Microsoft Root Certificate-Program
• Microsoft Root Certificate Program
• Windows Root Certificate Program Members
• Windows Root Certificate Program

In addition, update mechanism is described here: KB931125.

Generally speaking, Microsoft maintains a special certificate trust list (CTL) which is located here. This CTL contains hashes and extended properties for each member of the root certificate program. Also, each certificate is downloadable at:

Update 06.04.2020: clarified the last section by mentioning that everything expressed in this blog post is primary opinion-based.

Update 16.06.2022: updated recommendations on HTTP URL host name.

Information in this article should be used only when you plan ADCS installation.

Hello Internet!

Today I’m going to describe one of the ugliest and, on the other hand, one of the most important topic in PKI — chain building and revocation checking and how to design/plan them by conforming best practices.