Recently I wrote a sample function which allows security administrators to dump trusted root certificates from Microsoft web site.

Microsoft maintains a number of predefined trusted root CAs which are members of Microsoft Root Certificate Program. Here are several useful links on TechNet wiki:

• Introduction to The Microsoft Root Certificate-Program
• Microsoft Root Certificate Program
• Windows Root Certificate Program Members
• Windows Root Certificate Program

In addition, update mechanism is described here: KB931125.

Generally speaking, Microsoft maintains a special certificate trust list (CTL) which is located here. This CTL contains hashes and extended properties for each member of the root certificate program. Also, each certificate is downloadable at:

Update 06.04.2020: clarified the last section by mentioning that everything expressed in this blog post is primary opinion-based.

Update 16.06.2022: updated recommendations on HTTP URL host name.

Information in this article should be used only when you plan ADCS installation.

Hello Internet!

Today I’m going to describe one of the ugliest and, on the other hand, one of the most important topic in PKI — chain building and revocation checking and how to design/plan them by conforming best practices.

Hello S-1-1-0!

In previous post I posted about new PowerShell PKI module release and notable enhancements. Today I’ll talk about less notable and obvious, but useful enhancements.

PKCS#10 certificate request support

I made a support for X.509 certificate requests formed in a PKCS#10 format. The only (currently) class is X509CertificateRequest class which is developed in a similar manner as X509Certificate2. Let’s take a spherical horse in a vacuum sample certificate request which was generated by using certreq.exe tool:

What a great feeling when your blog is up and running! I think, I should post something here while it is still up :)

Today I want to post about new release of my PowerShell PKI module which is released today on CodePlex.

What’s new

1) Introduced module components

After a brief talk with a colleague I decided to split the module in two parts: client and server. Previously my module required RSAT installation in order to use it, while there were a lot of commands which do not require them and are not related to ADCS management. Therefore I divided module in two components: Client and Server. Client component contains commands which are related to local PKI management and do not require RSAT installation. Server component is intended for ADCS management and requires RSAT installation. Here is a module folder structure:

Hello S-1-1-0! Recently I was extremely busy on various stuff including PS PKI Module writing, as the result I hadn’t enough much time to write here. Today I would like to announce a new Manning book called PowerShell Deep Dives. the project started last year and by bringing PowerShell MVP community, the stuff went quite quickly.

Why I’m advertising this book?

1. The book is believed to be very interesting to all sort of IT Pro and Devs who is interesting in PowerShell. The book is divided in four general sections: Administration, Scripting, Development, PS for Platforms. Everyone of you will find something interesting for yourself.
2. All chapters in the book are written by PowerShell MVPs = quality guaranteed!
3. No one from writers or book coordinators will get a cent from book sales. All revenue will go to charity: to the memory of Will Steele, one of our co-authors and important member of the PowerShell community.