ADCS Hotfix and Known Issues

It’s been on my to-do list for a number of years but I’ve never had a chance to get to it. That is what tends to happen when you work at a big corporation and there are competing interests and demands on your time. But being the small business man that I am, I can […]

Changes to SSL/TLS Certificate Validity Periods – September 2020

It was recently announced that Google Chrome will be joining Apple Safari in implementing a change to publicly trusted SSL/TLS certificates. This change, however, will impact organizations operating their own internal PKI as well. While the change was initially submitted to the official CA/Browser Forum, the vote failed last year. However, both Apple and Google have unilaterally announced […]

Certificate Transparency Enforcement and Microsoft CAs – Oct 2017 Deadline

To address some weaknesses in the public PKI trust process, Certificate Transparency (CT) was created to make it easier to detect and track fraudulent certificate issuance and use. The intent is that a small collection of log servers would contain information about valid certificates and browsers can check the log to see if a given certificate for […]

ADCS Database Log Truncation Change in Server 2019

In our past blogs on the subject of Windows Server ADCS backups, we have touched on the issue of jet database logs not being truncated and deleted in some scenarios. https://www.pkisolutions.com/adcsbackups/ https://www.pkisolutions.com/database-log-files-are-not-truncated-when-you-perform-a-full-certification-authority-database-backup/ Specifically, if backups are performed via snapshot or non-VSS based backups and secondly, if any logs are still held open by the jet […]

Creating a NDES Policy Module – A Programmers Guide

Microsoft introduced a great security improvement in Windows Server 2012 R2 to alter the standard Network Device Enrollment Service (NDES) security process. If you are familiar with the whitepaper I wrote for Microsoft (Securing and Hardening NDES) you’ll know I wrote about the disadvantages of using NDES for BYOD and Internet accessible enrollment solutions. The […]

Gardening and Weeding Certificate Templates: Private Key Flags

Mismanagement of certificate templates is one of the lowest of the low-hanging fruits when it comes to ADCS threat vectors. Among other things, a misconfigured certificate template can lead to a threat actor obtaining a certificate which could be used for privilege escalation up to and including Enterprise Administrator! As you can imagine, it’s a […]

Crafting a dummy certificate with specific serial number in Microsoft ADCS

Today I went through a thread on Twitter with claims that there is no supported way to revoke a rogue certificate with known serial number in Microsoft CA. TL;DR skip to next section The long story short: the thread originally was focused on an OCSP deterministic response support. The idea behind this is that by default, Microsoft […]

ADCS Certification Authority Database query numbers

Hello everyone, I’m back again and today I want to share some thoughts on retrieving massive results from ADCS Certification Authority database. Point of interest As a part of my ongoing project I had to collect database statistics (simply, number of revoked, issued, pending, failed, denied requests) and my concern was query performance on relatively […]