I just want you make aware of an important Microsoft knowledge base article that explains the interoperability between a Windows Server 2003 web enrollment station a Windows Vista computers. http://support.microsoft.com/kb/922706/en-us has all the details.

Carsten

By default, a Windows CA enterprise CA adds information about the used certificate template to issued certificates. These certificate attributes are especially important to perform certificate autoenrollement. However, in heterogeneous environments you may have the requirement not to include the certificate template names in certificates.

To avoid adding the certificate templates information into newly issued certificates, perform the following commands with administrator permissionsonyour enterprise CA at a command-line:

After a long waiting time the Certificate Services Client credential roaming whitepaper got published at http://www.microsoft.com/technet/security/guidance/cryptographyetc/client-credential-roaming/terminology-assumptions.mspx.

Easy CRL troubleshooting is just one click away in Windows Vista! Read on to learn how to enable crypto API2 (CAPI2) logging.For Windows XP and Windows Server 2003 you still have to use CAPIMONto find out what's going wrong with CRL checking.

1. 
   
   Log on with local administrator permissions to the computer where the certificate verification failure occurs.


2. 
   
   Click the Start menu. On the Administrative Tools menu, click Event Viewer.


3. 
   
   In the left pane, expand the Application Logs container, expand Microsoft, expand Windows, and then expand the CAPI2 container. Select the Operational container.


4. 
   
   On the Action menu, click Properties.


5. 
   
   In the General tab, select the Enable logging check box, adjust the maximum log size and log maintenance according to your needs, and then click OK.

   With CAPI2 logging turned on, all chain validation operations are logged in the event log: Application logs - Microsoft - Windows - CAPI2.

   
   

   
   

   To find out what goes wrong with chain validation do the following:

   
   

   
   
   1. 
      
      Open the event log on the computer where the chain validation fails and make sure CAPI2 logging is enabled.
   
   
   2. 
      
      In Event Viewer, expand the following container structure in the left pane: Application logs - Microsoft - Windows - CAPI2 - Operational
   
   
   3. 
      
      In the right pane, select a log entry.
   
   
   4. 
      
      In the bottom window, click the Details tab, and then select the Friendly View.
   
   
   5. 
      
      You will clearly see which process has performed a CAPI2 operation and what the actual status code was.

   
   

   Additional information about PKI troubleshooting on Vista is available on Technet. Refer toTroubleshooting PKI Problems on Windows Vistaor download the documentation from the Microsoft Download Center.

   
   

   Carsten

Several whitepapers explain the three valid protocols (HTTP, LDAP orFILE) to retrieve a Certificate Revocation List (CRL) or the Authority Information Access (AIA). However, none of these whitepapers is specific about the syntax for the file protocol (file://).

The simple answer is that a CRL or AIA file reference must follow the UNC syntax, for example: \\myserver\myshare\mycrl.crl

Certificates containing an absolute path like C:\myfolder\mycrl.crl will result in an error message when the system is verifying the validity of a certificate.

Carsten