The Name Constraints extension indicates to the relying party what namespaces are acceptable for the various hierarchical name forms such as DN, DNS names, URL, IP address, RFC 822 names, UPN, etc.  The extension is only valid for a CA certificate.  There are two components for this as defined in https://tools.ietf.org/html/rfc5280#section-4.2.1.10 as: Permitted Subtree(s):  This…

Read More

Hello S-1-1-0, @Crypt32 is again on a failboatboard with new blog post. Today I will share information about a little-known portion in configuration of Microsoft ADCS Certification Authority – serial number generation algorithm. This article assumes big-endian encoding Certificate serial number requirements Every X.509 conforming CA generates a unique serial number for each issued certificate,…

Read More

Hello everyone, I’m back again and today I want to share some thoughts on retrieving massive results from ADCS Certification Authority database. Point of interest As a part of my ongoing project I had to collect database statistics (simply, number of revoked, issued, pending, failed, denied requests) and my concern was query performance on relatively…

Read More

The magic number is a value that states when CRLs will be processed over OCSP, specifically it is when the total number of cached OCSP responses from a single OCSP responder URL on behalf of a single certificate authority will stop performing OCSP and start processing CRLs. This will occur if the number of cached…

Read More