Now that I have Windows 8.1 installed on both my Surface and laptop (Lenovo T430s) I have some time to work on some blogs.  I am going to continue on the “Operating a PKI” series.  However, I did want to cover Disaster Recovery in a series of blogs as well.  I will of course cover backing up and recovering Certification Authorities as well as other topics.  I wanted to start of with recovering PKI related data that is stored in Active Directory.  But first, let’s identify what data is stored in Active Directory.

This video covers the steps necessary to revoke orphaned certificates. Additional information on this topic is available at http://blogs.technet.com/b/xdot509/archive/2013/06/18/operating-a-pki-revoking-orphaned-certificates.aspx.

Orphaned certificates are certificates that are issued by a Certification Authority, but after issuing the certificates the Certification Authority has no knowledge of the certificates.  This situation most commonly occurs after the restore of a Certification Authority.

is illustrated in the graphic below.  In this example the CA is backed up at Time 0.  After the backup the CA issues certificates.  At Time 1 the CA fails.  At Time 2 the CA is recovered from the backup taken at Time 0.  The problem here is that after the restore there is no record of certificates issued after the backup, but before the restore.  These are known as orphaned certificates. The problem with orphaned certificates is that they are valid, but you have no record of issuing them.  And if you have no record of issuing them, you have no way to revoke them if necessary.  However, if you have the SMTP module running, you have a list of certificates issued during this time.  And although going through a mailbox to determine what certificates you have issued is not the most convenient way to do determine this, at least you have a record.  You can also use the information in the email of issued certificates, specifically the Serial Number to revoke these certificates if necessary.

I am back to discuss the SMTP Exit Module.  The SMTP Exit Module is a very useful monitoring tool, yet so many are unaware of the SMTP Exit Module.  In this blog posting I am going to answer the following questions and address the following topics related to the SMTP Exit Module:

• What is an Exit Module?
• What does the SMTP Exit Module do?
• Why should I use the SMTP Exit Module?
• How do I install the SMTP Exit Module?
• Advanced Configuration of the SMTP Exit Module
• What do the email alerts look like?

Shortly after I posted PKI Tip: Certificate Store Shortcuts, Tom Aafloen (@TomAafloen) let me know of another easy way to access the Certificate Stores in Windows 8 & Windows Server 2012.

Step 1.  Hold down the Windows key on the keyboard and press the W Key (Windows key + W key) to search settings.

Step 2.  Type cer in the search box

And in the results you will see “Manage user certificates”, you can select this if you want to open the Certificates MMC targeted for the current user.

You will also see “Manage computer certificates”, you can select this if you want to open the Certificates MMC targeted for the local machine.

-Chris