Webinar: PKI Insights - The Most Common Misconfigurations in Today's PKI

Microsoft Press Windows Server 2008 PKI Book Errata

Schedule a Demo
  • The unofficial errata list

    Welcome to the unofficial errata list for the “2008 PKI book.” The intent of this page is to provide corrections and clarifications to the published text. We will focus on the necessary corrections for Windows Server 2008, though many of the concepts are applicable to newer operating systems. However, this page is not intended to update the material or add additional subject matter for new features, industry practices or OS differences.

    If you have additional suggestions, corrections or other errata to add, please contact us.

Change Log – Last Updated July 13, 2018

Page Section Correction
102 [AuthorityInformationAccess] Remove “;URL = file://%1PublicMy CA.crt”. Windows Vista and newer removed support for SMB based retrieval of AIA certificates.
102 [CRLDistributionPoint] Remove “;URL = file://%1PublicMy CA.crl”. Windows Vista and newer removed support for SMB based retrieval of CRLs. However, you may still use a SMB path to publish the CRL to remote host, such as a web server hosting the HTTP retrieval of CRLs by clients.
107 N/A Remove “file://%1CertEnroll%1_%3%4.crt”. Windows Vista and newer removed support for SMB based retrieval of AIA certificates. In addition, the CA can’t be configured to publish its certificate to a custom location. Thus any syntax in the AIA section for SMB is invalid.
108 [certsrv_server] Add note: “RenewalKeyLength, RenewalValidityPeriod, and RenewalValidtyPeriodUnits are not required to be present in the capolicy.inf. These values are only necessary if you desire to change the keysize or validity period during a renewal. Absent of these values, the CA will use the values currently defined in the CA certificate when it is renewed.”
108 Note Change “You cannot set the initial CA key length and validity period in the CApolicy.inf file. The value at installation is configured in the installation wizard for a root CA and is defined by the parent CA for all subordinate CAs.” to “You cannot set the initial CA key length and validity period in the CApolicy.inf. The key length and validity period values are configured in the installation wizard for a root CA. For all subordinate CAs, the key length is set in the installation wizard and the validity period is set on the parent CA.”
109 DiscreteSignatureAlgorithm Change all reference referring to “DiscreteSignatureAlgorithm”. This parameter was only used during the beta of Windows Server. The correct parameter is “AlternateSignatureAlgorithm”.
115 Table 6-2 CRL Publication Options Second row, change “Include in all issued certificates” to “Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually”. Change the value from “2” to “8”.
115 Table 6-2 CRL Publication Options Fourth row, change “Include in the CDP extension of CRLs” to “Include in the CDP extension of issued certificates”, change value “8” to “2”.
115 Table 6-2 CRL Publication Options Fifth row, change “Publish delta CRLs to this location. Specifies where to publish in AD DS when publishing to LDAP URLs” to “Publish Delta CRLs to this location”
116 Table 6-3 AIA Publication Options After the table, add the following text “The ServerPublish (value 1) while referenced and used by Microsoft can’t be used to specify an alternate publishing location or syntax for the AIA. The CA will only create a copy of its certificate in the %windir%system32certsrvcertenroll folder and Active Directory (if domain integrated). Specifying an alternate location to create the certificate will not be honored. If you need the certificate place somewhere else, such as a web-based AIA location, you must manually or via script copy the CA certificate to that location,”
116 certutil -setreg CACRLPublicationURLs Note that beginning in this section and throughout the remainder of the book, the certutil commands show variable syntaxes “double-escaped”. When running certutil commands directly in a command prompts, variables should be specified as %3%8%9 and so forth. When running the commands in a batch file, the syntax in the book is correct. Batch file processing necessitates escaping these variables with a %. As a result, the variable syntax in the batch file would look like %%3%%8%%9. Note and replace in all future references.
122 DiscreteSignatureAlgorithm=1 Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
125 Cerutil -setreg CAcspDiscreteSignatureAlgorithm Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
126 DiscreteSignatureAlgorithm=1 Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
131 Cerutil -setreg CAcspDiscreteSignatureAlgorithm Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
135 DiscreteSignatureAlgorithm=1 Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
140 Cerutil -setreg CAcspDiscreteSignatureAlgorithm Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
160 DiscreteSignatureAlgorithm Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
195 Figure 9-3 Note the check box “Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA)” should be shown as “Allow administrator interaction when the private key is accessed by the CA.”
195 Note Change “you must use strong key protection features” to “you must enable the option ‘Allow administrator interaction when the private is accessed by the CA'”