Retired Microsoft Blog disclaimer
This directory is a mirror of retired "A Microsoft Premier Field Engineer's blog on Cloud and Security Technologies" TechNet blog and is provided as is. All posting authorship and copyrights belong to respective authors.

Posts on this page:

Original URL: https://blogs.technet.microsoft.com/xdot509/2011/07/06/windows-pki-resources/
Post name: Windows PKI Resources
Original author: chdelay
Posting date: 2011-07-06T13:51:00+00:00


I had been thinking about compiling a list of PKI references. However, I noticed Kurt Hudson has already done this work. So, if you are looking for a great list of PKI resources, here you go: http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx


Read more →
Original URL: https://blogs.technet.microsoft.com/xdot509/2011/07/06/autoenrollment-for-offline-certificate-templates/
Post name: Autoenrollment for Offline Certificate Templates
Original author: chdelay
Posting date: 2011-07-06T08:06:00+00:00


One headache for System Administrators has been renewing certificates generated from Offline Templates. Relief from this arduous task is available in Windows Server 2008 R2.

Certificate Templates that are configured so that the requestor must provide the identity in the request are called "Offline" Certificate Templates. And one of the disadvantages to “Offline” Certificate Templates is that they could not be used with Autoenrollment.

If you take a look at the subject tab of a Version 2 or Version 3 Certificate Template you will notice two settings. The first setting is Supply in the request. The second setting isBuild from this Active Directory information. To enable auto enrollment this second setting must be configured on the Certificate Template. And it makes sense. If you are going to be automatically provisioning certificates you would need to pull the identity information from somewhere, in order to determine what the Subject or Subject Alternative Name (SAN) for a certificate would be. And that is exactly what the Certification Authority does for auto enrolled certificates.


Read more →