The PKI Blog

PowerShell File Checksum Integrity Verifier (PsFCIV)

By Vadims Podāns | Mar 29, 2021

Today I’m glad to announce a PowerShell File Checksum Integrity Verifier (hereinafter PsFCIV) availability as a standalone package. Years ago a friend of mine asked to develop a PowerShell script that would replace a now-discontinued Microsoft File Checksum Integrity Verifier (FCIV) tool that is an essential utility to check integrity of large file shares. While…

Read More

Request extension processing in Active Directory Certification Authority

By Vadims Podāns | Feb 2, 2021

Hello S-1-1-0, Crypt32 is on air! Today I want to explain how ADCS Certification Authority processes extensions from incoming requests and certificate templates. Every X.509 V3 certificate contains certificate extensions to include extra information about certificate owner, issuer, intended usages, limitations/constraints. CA utilize multiple sources to generate extension list to be included in signed certificate,…

Read More

Name Constraints Extension

By Naheed Jivani | Jan 19, 2021

The Name Constraints extension indicates to the relying party what namespaces are acceptable for the various hierarchical name forms such as DN, DNS names, URL, IP address, RFC 822 names, UPN, etc.  The extension is only valid for a CA certificate.  There are two components for this as defined in as: Permitted Subtree(s):  This…

Read More

Changes to the Online Assessment Portal Program

By ThePKIGuy | Jan 13, 2021

Since the launch of our Online Assessment Program in 2020, we have seen incredible interest in the ability to perform a thorough review and assessment of an organization’s PKI without the expense and effort of working with a consultant onsite. The self-paced, on-demand approach was an industry first for reviewing and assessing the configuration, health,…

Read More

RPKI – The most important Internet security component you never heard of.

By Peter DiToro | Dec 9, 2020

What do AWS, Radware, Nintendo, Google, and Facebook all have in common (other than being some of the smartest actors in internet commerce)? Over the past 18 months, they have all been impacted by outages traceable to the Border Gateway Protocol (BGP). The BGP was designed in 1994, literally on a napkin, to route data…

Read More

ADCS certificate serial number generation algorithms – a comprehensive guide

By Vadims Podāns | Nov 4, 2020

Hello S-1-1-0, @Crypt32 is again on a failboatboard with new blog post. Today I will share information about a little-known portion in configuration of Microsoft ADCS Certification Authority – serial number generation algorithm. This article assumes big-endian encoding Certificate serial number requirements Every X.509 conforming CA generates a unique serial number for each issued certificate,…

Read More

ADCS Certification Authority Database query numbers

By Vadims Podāns | Oct 21, 2020

Hello everyone, I’m back again and today I want to share some thoughts on retrieving massive results from ADCS Certification Authority database. Point of interest As a part of my ongoing project I had to collect database statistics (simply, number of revoked, issued, pending, failed, denied requests) and my concern was query performance on relatively…

Read More

OCSP Magic Number

By Naheed Jivani | Sep 24, 2020

The magic number is a value that states when CRLs will be processed over OCSP, specifically it is when the total number of cached OCSP responses from a single OCSP responder URL on behalf of a single certificate authority will stop performing OCSP and start processing CRLs. This will occur if the number of cached…

Read More

Announcing Free PKI Assessments

By ThePKIGuy | Sep 2, 2020

Today we are announcing a new feature for our Online PKI Assessment portal. Our portal offers the world’s first, on-demand, self-paced assessment of Microsoft ADCS based PKIs. Utilizing our proprietary automated data collection tools, you can quickly scan and collect configuration details from your PKI and receive an assessment online – all at your convenience…

Read More