Note: This post is not updated anymore since May 2010. The new PKI reference page is a WIKI page.

We have a broad list of documentation for the Windows PKI. To let you find the right content quicker, I have put together a grouped list of the current papers, knowledge base articles and web casts related to the technology.

General information

• Security Glossary
• Public Key Infrastructure
• Certificate Services overview

Training

• Designing and Managing a Windows Public Key Infrastructure

Internet Newsgroup

• microsoft.public.security.crypto

Envision

• PKI Enhancements in Windows 7 and Windows Server 2008 R2
• Cryptography and Microsoft Public Key Infrastructure
• PKI Enhancements in Windows XP Professional and Windows Server 2003
• Certificate Services Technical Reference

Plan

• Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure
• Microsoft root certificate program members
• Planning Your Public Key Infrastructure
• Designing and Implementing a PKI: Part I Design and Planning
• Designing and Implementing a PKI: Part II
• Designing your own PKI Infrastructure
• Scale testing the world’s largest PKI… all running on WS08R2 and Hyper-V
• To Cluster or Not to Cluster CAs
• How CA Certificates Work
• How Certificates Work
• Windows XP Professional: Certificate Revocation and Status Checking
• Choosing Security Solutions That Use Public Key Technology
• Cryptography for Network and Information Security
• HSPD-12 Logical Access Authentication and Active Directory Domains

Build

• Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
• Windows Server System Reference Architecture for Certificate Services
• Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003

Deploy

• Installing a Suite B Only PKI with Windows Server 2008 R2
• Deploying and Managing PKI inside Microsoft
• TechNet Support WebCast: Best Practices for Public Key Infrastructure: Steps to build an offline root certification authority (part 1 of 2)
• TechNet Support WebCast: Best practices for Public Key Infrastructure: Setting up an offline subordinate and an online enterprise subordinate (part 2 of 2)
• Extended Validation support for websites using internal certificates

Windows Server 2003

• Certificate Autoenrollment in Windows Server 2003
• Advanced Certificate Enrollment and Management
• Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services
• Configuring and Troubleshooting Certificate Services Client–Credential Roaming
• Webcast: Credential Roaming Basics
• Cryptography Tools

Windows Server 2008

• Certificate Server Enhancements in Windows Server codename "Longhorn" whitepaper
• How to configure the Windows Server 2008 CA Web Enrollment Proxy
• Microsoft SCEP Implementation Whitepaper
• Longhorn Beta3 Certificate Templates Whitepaper
• Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates

Online Certificate Status Protocol

• Installing, Configuring, and Troubleshooting the Microsoft Online Responder
• Implementing an OCSP responder
  • Part I Introducing OCSP
  • Part II Preparing
  • Part III - Configuring OCSP for use with Enterprise CAs
  • Part IV - Configuring OCSP for use with Standalone CAs
  • Part V High Availability
  • Part VI Configuring Custom OCSP URIs via Group Policy

Windows Server 2008 R2

• Cross-forest Certificate Enrollment with Windows Server 2008 R2

Operate

• Windows Server 2003 PKI operations and configuration guide
• Key Archival and Management in Windows Server 2003
• Certificate Services example implementation: Key archival and recovery
• Troubleshooting Certificate Status and Revocation
• TechNet Support WebCast: Best practices for relocating certification authority and for failure recovery
• TechNet Support WebCast: Troubleshooting and evaluating Public Key Infrastructure health in Microsoft Windows Server 2003 and Microsoft Windows 2000
• How to move a certification authority to another server
• HOWTO: Move a certificate authority to a new server running on a domain controller
• How to remove manually Enterprise Windows Certificate Authority from Windows 2000/2003 Domain
• Custom extensions in the CAPolicy.inf file do not take effect after you renew the root CA certificate by using a new key
• How to make a stand-alone certification authority compliant with ISIS-MTT version 1.1
• How to make an Enterprise certification authority compliant with ISIS-MTT version 1.1
• Digital Certificates Cleanup Script
• CRL freshness checking scripts
• Windows Server 2008 R2 CAPolicy.inf Syntax

Certificate enrollment

• Creating "Wildcard" Certificate Requests for IIS using the Windows Vista/Server 2008 Certificates MMC plugin
• Certificate Creation Tool (Makecert.exe)

Certificate management

• Mapping One Smartcard Certificate to Multiple Accounts

Powershell

• Working with Certificates in Active Directory Powershell

Windows Vista

• Troubleshooting PKI problems on Windows Vista

Windows Server 2008

• Active Directory Certificate Services Upgrade and Migration Guide
• Configuring and Troubleshooting Certification Authority Clustering in Windows Server 2008

Develop

• Windows Client Certificate Enrollment Protocol Specification
• Cryptography Reference
• Cryptography, CryptoAPI, and CAPICOM
• Customizing the Certificate Services Web Enrollment Pages
• Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI
• Code-Signing Best Practices

Extend

• Windows Vista Smart Card Infrastructure

When you launch the certificate templates MMC snap-in (certtmpl.msc) for the first time, the certificate templates are installed automatically in the background. Installing the templates is independent of the availability of an enterprise CA. Enterprise Administrator permissions are required to successfully install the templates.

That's nice and convenient but what happens if you accidentally deleted the template objects from Active Directory? The templates can be viewed and also deleted (with appropriate permissions) through the Active Directory Sites and Services MMC snap-in (dssites.msc) or any other LDAP client can be used.

So, what to do if the templates or the OID container have disappeared? With a single command-line, you can get them back. As prerequisite to install the certificate templates you must have create child access to the template container in Active Directory which is the default setting for an enterprise administrator.

If you are running Windows Server 2003, use the following command with enterprise administrator permissions:

regsvr32 /i:i /n certcli.dll

If you have Windows Vista or Windows Server 2008 already in place, certutil.exe understands a new verb to re-install the templates. Certutil is included in all Windows Vista SKUs by default.

certutil -installdefaulttemplates

After performing one of the above commands you must restart the CA service.

The following two knowledgebase articles describe scenarios where re-installation of certificate templates can make sense:

• You receive an error message, and event ID 53 is logged when a client computer requests a certificate from a Windows Server 2003 SP1-based CA (http://support.microsoft.com/kb/932457).


• Event ID 77 is logged in the Application log when the CertSvc service starts on a CA server that is running Windows Server 2003 with Service Pack 1 (http://support.microsoft.com/kb/931354).

When importing a PFX-file with the certificate import wizard, you can choose if the private key should be exportable or not. Your choice is stored in the key storage property identifier that is key-storage specific. In other words, there is no information in the certificate about the exportability of the related private key. It is possible that if you import the same PFX-file into different computers that the private key is maked as exportable on one computer and is not marked as exportable on another.

To perform a PFX-file import at a command-line you may be familiar with the certutil -importPFX command. Since Windows Server 2003 SP1, certutil understands extra arguments to improve the PFX import.

Here is the abstract syntax:

certutil -importPFX {PFXfile} [NoExport|NoCert|AT_SIGNATURE|AT_KEYEXCHANGE]

To make the private key non-exportable, use the following command:

certutil -importPFX [PFXfile] NoExport

To just install the private key but not the certificate, use the NoCert argument. It can be combined with the NoExport argument.

certutil -importPFX [PFXfile] NoCert

There are two more arguments forcing AT_SIGNATURE or AT_KEYEXCHANGE. Both cannot be used in combination and may require a conversion to a RSA key.

certutil -importPFX [PFXfile] AT_SIGNATURE

certutil -importPFX [PFXfile] AT_KEYEXCHANGE

To combine multiple modifiers with one command, all modifiers must appear comma seperated as a single common line parameter. For example:

If you have you already deployed Credential Roaming (see the whitepaper or webcast) or if you have plans to do so, you should be very aware of a new knowledgebase article because the size of your Active Directory might grow unnecessarily.

Refer to knowledgebase article 934797 for more information.

To adjust the CRL and AIA distribution point there are at least threechoices to do it. The most familiar way to change the distribution point might be through the CA MMC user interface. The second way is to directly change the registry key CACertPublicationURLs or CRLPublicationURLs with regedit.exe. Alternatively, you can use certutil -setreg to change these keys in the registry.

While having full editing control over the multi-valued registry key, you may miss an edit button in the UI to conveniently change an existing entry without retyping the full URL.

Only very few people are aware that you can use a copy/paste trick to overcome the missing edit button. Here are the steps to copy an existing CRL or AIA entry and create a new one:

1. Open the Certification Authority MMC snap-in.


2. Open the CA properties.


3. Go to the Extensions tab.


4. Select the entry that you want to copy from the list of available CRL or AIA entries.


5. Press <CTRL>+<C> to copy the entry into the clip-board.


6. Click the Add… button and press <CTRL>+<V>. The paste operation is certainly not limited to the Add Location window. Once the URL has been copied into the clipboard it can be pasted everywhere.


7. Change the distribution point as appropriate.