I was recently helping a customer deploy a SHA-256 based PKI. As part of the retirement of their old PKI, we reissued the code signing certificates used by their developers. We found that the Visual Studio 2010 developers had no issue with the new code signing certs, but the Visual Basic of Application developers could not select the new SHA-256 certificate. Working with the good folks in Premier Support, we discovered there was a bug in VBA.

Last week we released a hotfix for Office 2010, KB 2598139, that addressed this bug in Office 2010. This hotfix corrected the issue with the certificate selection box (Tools | Digital Signature) and the handling of VBA macros signed with SHA2 certificates.

In order to properly use SHA2 code signing certificates, this hotfix would need to be installed on both the developer computers and the end-users computers. As this is a QFE, the standard warning applies: ...this hotfix is intended to correct only the problems that are described in this article. Apply this hotfix only to systems that are experiencing the problems described... In order to download this hotfix, click the “View and request hotfix downloads” button on the top of the KB article.

-Adam Stasiniewicz

Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option is Request can use any provider available on the subject’s computer. However, the best practice is to select Requests must use one of the following providers. Then, ensure you configure only the providers that you want to be used. Another best practice is to use a key size of 1024 bits or higher.

More about this topic is on the TechNet Wiki http://social.technet.microsoft.com/wiki/contents/articles/10192.a-certificate-could-not-be-created-a-private-key-could-not-be-created.aspx

The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have already made a few updates that were requested. The old download center location has been updated to reflect that we've posted to the update to the TechNet Wiki.

Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)

Note: Previously the NDES service was called Microsoft Simple Certificate Enrollment Protocol (MS SCEP). You will notice that the Registry and the web interfaces still have that acronym MSCEP.

Amer Kamal recently posted two articles regarding the security and maintenance of offline CAs based on frequently asked questions from customers. These articles posted as:

Security Best Practices for Offline CAs

and

Offline CA Maintenance Tasks

Since they are TechNet Wiki articles, you can not only review them, but also help to improve them.

A follow-up document to the original HSPD-12 Logical Access Authentication and Active DIrectory Domains document has just been posted to the download center. The follow-up document demonstrates the increased flexibility of FIPS 201 PIV-II compliant smart cards with Windows Server® 2008 R2 Active Directory, Windows 7 and Office 2010. Included within this document are detailed steps to configure Windows Server 2008 R2 Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), Windows® 7, and Microsoft® Office 2010 to perform traditional UPN based smart card logon, explicit smart card logon (client authentication certificate mapped to multiple accounts), explicit cross-forest smart card logon and NIST SP800-78-3 compliant S/MIME email exchanges.

You can find both the original and follow-up document on the Microsoft download center HSPD-12 Logical Access Authentication and Active Directory Domains

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9427.