Retired Microsoft Blog disclaimer
This directory is a mirror of retired "Windows PKI Team" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.

Posts on this page:

Original URL: https://blogs.technet.microsoft.com/pki/2007/02/09/how-to-use-certificate-services-web-enrollment-pages-together-with-windows-vista/
Post name: How to use Certificate Services Web enrollment pages together with Windows Vista
Original author: MS2065 [MSFT]
Posting date: 2007-02-09T21:59:00+00:00


I just want you make aware of an important Microsoft knowledge base article that explains the interoperability between a Windows Server 2003 web enrollment station a Windows Vista computers. http://support.microsoft.com/kb/922706/en-us has all the details.



Carsten

Original URL: https://blogs.technet.microsoft.com/pki/2007/01/03/how-to-exclude-the-certificate-template-name-from-certificates-to-be-issued/
Post name: How to exclude the certificate template name from certificates to be issued
Original author: MS2065 [MSFT]
Posting date: 2007-01-03T07:02:00+00:00


By default, a Windows CA enterprise CA adds information about the used certificate template to issued certificates. These certificate attributes are especially important to perform certificate autoenrollement. However, in heterogeneous environments you may have the requirement not to include the certificate template names in certificates.

To avoid adding the certificate templates information into newly issued certificates, perform the following commands with administrator permissionsonyour enterprise CA at a command-line:


certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7
net stop certsvc
net start certsvc


The configuration change applies CA wide and does not affect already issued certificates. Remember that autoenrollment will break if you add the OIDs to the list of disabled extensions. You must not apply this change on a CA where clients enroll certificates automatically from.


To add the template certificate name to issued certificates again, remove the OIDs from the list of disabled extensions. Perform these commands with administrator permissions on your enterprise CA:


certutil -setreg policy\DisableExtensionList -1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList -1.3.6.1.4.1.311.21.7
net stop certsvc
net start certsvc


For a complete List of OIDs used by the Microsoft cryptography, see the following Knowledge base article: http://support.microsoft.com/kb/287547/en-us.

Original URL: https://blogs.technet.microsoft.com/pki/2006/12/18/configuring-and-troubleshooting-certificate-services-clientcredential-roaming/
Post name: Configuring and Troubleshooting Certificate Services Client–Credential Roaming
Original author: MS2065 [MSFT]
Posting date: 2006-12-18T15:53:00+00:00


After a long waiting time the Certificate Services Client credential roaming whitepaper got published at http://www.microsoft.com/technet/security/guidance/cryptographyetc/client-credential-roaming/terminology-assumptions.mspx.

Original URL: https://blogs.technet.microsoft.com/pki/2006/12/16/the-easy-way-of-crl-troubleshooting-in-windows-vista/
Post name: The EASY way of CRL troubleshooting in Windows Vista
Original author: MS2065 [MSFT]
Posting date: 2006-12-16T12:04:00+00:00


Easy CRL troubleshooting is just one click away in Windows Vista! Read on to learn how to enable crypto API2 (CAPI2) logging.For Windows XP and Windows Server 2003 you still have to use CAPIMONto find out what's going wrong with CRL checking.




  1. Log on with local administrator permissions to the computer where the certificate verification failure occurs.


  2. Click the Start menu. On the Administrative Tools menu, click Event Viewer.


  3. In the left pane, expand the Application Logs container, expand Microsoft, expand Windows, and then expand the CAPI2 container. Select the Operational container.


  4. On the Action menu, click Properties.


  5. In the General tab, select the Enable logging check box, adjust the maximum log size and log maintenance according to your needs, and then click OK.

    With CAPI2 logging turned on, all chain validation operations are logged in the event log: Application logs - Microsoft - Windows - CAPI2.



    To find out what goes wrong with chain validation do the following:




    1. Open the event log on the computer where the chain validation fails and make sure CAPI2 logging is enabled.


    2. In Event Viewer, expand the following container structure in the left pane: Application logs - Microsoft - Windows - CAPI2 - Operational


    3. In the right pane, select a log entry.


    4. In the bottom window, click the Details tab, and then select the Friendly View.


    5. You will clearly see which process has performed a CAPI2 operation and what the actual status code was.

    Additional information about PKI troubleshooting on Vista is available on Technet. Refer toTroubleshooting PKI Problems on Windows Vistaor download the documentation from the Microsoft Download Center.


    Carsten

Original URL: https://blogs.technet.microsoft.com/pki/2006/12/04/a-file-distribution-point-must-follow-the-unc-syntax/
Post name: A file distribution point must follow the UNC syntax
Original author: MS2065 [MSFT]
Posting date: 2006-12-04T15:00:00+00:00


Several whitepapers explain the three valid protocols (HTTP, LDAP orFILE) to retrieve a Certificate Revocation List (CRL) or the Authority Information Access (AIA). However, none of these whitepapers is specific about the syntax for the file protocol (file://).

The simple answer is that a CRL or AIA file reference must follow the UNC syntax, for example: \\myserver\myshare\mycrl.crl


Certificates containing an absolute path like C:\myfolder\mycrl.crl will result in an error message when the system is verifying the validity of a certificate.


Carsten