Retired Microsoft Blog disclaimer

This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.

Posts on this page:

Original URL:
Post name: Sample Code: End-to-End Certificate Transparency requests on ADCS CA
Original author: Tochi E
Posting date: 2018-12-12T22:42:54+00:00

Hello all, Tochi Ezebube here again from the Active Directory Certificate Services engineering team.


Sometime back, we released support for the precertificate flow of Certificate Transparency v1 (RFC 6962) in Windows Server 2016 ( For this to work end-to-end, the component submitting the request to the ADCS CA must submit the returned precertificate to a suitable set of Certificate Transparency Logs using the RFC 6962 protocol, aggregate the results as a SignedCertificateTimestampList, and return it to the ADCS CA for X.509 issuance.


Since release, we’ve received a number of requests for sample code to speak the RFC 6962 protocol between the CA and the CT Logs. Here is an unofficial sample to get you started with precertificate submission. It is released as-is with the usual caveats.


Sample code:

Sample.sln code breakdown:

  • SampleLibrary.csproj: library containing a simple ILogClient and implementation, which speaks the RFC 6962 protocol for adding certificates & precertificates, as well as preparing the SignedCertificateTimestampList object.
  • ConsoleApp.csproj: simple console app illustrating an ADCS CA CT enrollment end-to-end, utilizing SampleLibrary.csproj for Certificate Transparency interactions.


To use:

  1. Register your ADCS CA certificate's root with the CT Log to be used.
  2. Enable the Certificate Transparency feature on your ADCS CA and restart the CA service as follows:
    1. certutil.exe -setreg CA\CertificateTransparencyFlags 0x1
    2. net stop certsvc
    3. net start certsvc
  3. Open Sample.sln in Visual Studio.
  4. Verify it builds.
  5. Run ConsoleApp.exe passing in the ADCS CA config string and the CT Log URI, for example:
    1. ConsoleApp.exe {ServerName}\{CAName}


Happy coding…



Original URL:
Post name: How will Certificate Transparency affect existing Active Directory Certificate Services environments?
Original author: WesH [MSFT]
Posting date: 2018-03-12T21:51:58+00:00

Wes Hammond here from Premier Field Engineering.  It has been a while since I posted anything, but I wanted to step back into the spotlight to talk a little bit about something a few customers have been asking about lately.  How will Certificate Transparency affect their Active Directory Certificate Services environments?  Well, here are your answers…

Before we get started, here is a little bit of information about Certificate Transparency that is relevant to this article.  CT is being applied to certificate authorities that chain to a Public/Commercial Root Authority to detect fraudulent certificates used for HTTPS purposes.  Many public certificate authorities have already been reporting to the CT logging servers for some time now.  How it works is beyond the scope of this document and I would recommend you read the information located at the site linked to at the bottom of this article.

CT in Browsers

Google is scheduled to enforce CT in Chrome browsers on April 30th 2018 for certificates issued after April 1st 2018.

CT in Private PKI (CA's that DO NOT chain to a public Root)

I am going to start with the most common scenario.  Most of you have a private PKI within your organization that does not chain up to a public root.  In this scenario, CT will not affect your CA's.  Chrome browser uses Windows native CAPI to determine trusted chains.  Windows can differentiate between commercial/public CA chains and internal/private chains.  Since Windows has this ability, CT will not affect Private/Internal PKI chains.

CT in Certificate Chains that DO chain to public Root

"IF" your certificate authority chains up to a public root and you issue SSL/TLS/HTTPS certificates, CT may affect your PKI.  How it affects you is beyond the scope of this article, and I would recommend you consult your provider for more information.

Other Certificate Purposes

As I mentioned earlier, CT is only relevant to certificates used for HTTPS.  All other certificate purposes such as smartcard logon, code signing, document signing, SMIME, any many others are not visible through Chrome browsers and thus are not affected, so rest easy ??

For more information on Certificate Transparency see the official site on it here:

If you liked this blog please don't forget to rate it.

Original URL:
Post name: [CrossPost ] HTTPS Inspection and your PKI
Original author: WesH [MSFT]
Posting date: 2017-02-24T03:10:50+00:00

Hey Everyone,

A little while back I posted this article to my own personal blog and it is getting some traction but it might get more here so I wanted to share it as these questions come up all the time.  I hope you enjoy it.

Original URL:
Post name: How to write an NDES policy module
Original author: Tochi E
Posting date: 2016-11-30T02:35:17+00:00

Hi there!

This is Tochi Ezebube with the Active Directory Certificate Services (ADCS) engineering team; I wanted to share some further details on how to write a custom policy module for the ADCS Network Device Enrollment Service (NDES) in Windows Server 2012 R2 and onwards.

Here it is: how-to-write-an-ndes-policy-module.

And here's some general info on policy modules in NDES.

Let me know if you have any questions!


Original URL:
Post name: [CrossPost] SHA1 Deprecation Policy
Original author: Amerk [MSFT]
Posting date: 2015-10-19T21:02:51+00:00

Update: This page has been removed.  For the most up to date information on the Microsoft SHA1 deprecation policy please see the links posted below