Over the last year a common question has surfaced repeatedly as customers look to adopt SSL Packet inspection services for outgoing connections. These appliances are designed to allow monitoring and management of data contained inside of normally protected SSL sessions being initiated inside the organization. In order for these appliances to work, they have to…
Read More
It’s here, the 2017 PKI Training schedule is now live and accepting registrations. There are three In-Depth classes and two Advanced PKI classes split between the US and Europe. Be sure to check out the schedule and register early as classes usually sellout in advance. San Jose CA (Feb 7-9) – Introduction to PKI, Certificates…
Read More
In a previous post, I discussed the configuration and isolation of true offline Certificate Authorities. There I made reference to the fact that an offline CA is one that never sees the light of day, figuratively that is. The CA should be air-gaped from the network, which requires physical access to the CA to manage and…
Read More
While working with a customer recently, an interesting need came up that required me to rummage through my treasure-trove of random PKI and certificate knowledge. This was apparently so well hidden, I had to reach out to an old friend still at Microsoft to remind me what the heck it’s called! One of the things…
Read More
This post started as recommended maintenance and updates for offline CAs, and it became clear I should make this a two-part post. So today I am covering what an Offline CA really means, and tomorrow I will cover recommendations for maintaining one of them. First, we must cover what I mean by Offline CA –…
Read More
Online Certificate Status Protocol (OCSP) provides an efficient mechanism for distributing certificate revocation information. When certificates are exchanged and validated, computers need to determine if the certificate has been revoked – meaning the CA has reason to consider the certificate as untrusted. This often placed in a Certificate Revocation List (CRL). Clients download this potentially large CRL…
Read More
It comes as no surprise to anyone working with Microsoft products that the support and inclusion of operating systems other than Windows is often a second thought – if best. No where is this more prevalent than with Certificate Services – one of the most common questions during the design and deployment is “Well Mark,…
Read More
With a lot of focus on moving from SHA1 to SHA256, one question that I get a lot of is how to get certificates issued with SHA256. The short answer is that a CA signs everything is creates with a single hash signature algorithm. There is no mechanism that enables per-template based signature hash specification. So…
Read More
Today I was working with a customer and they mentioned they had just been contacted about an enrollment problem on one of their CAs. They had recently added a template to one of their Windows Server 2012 R2 CAs. The template had been in use for a long time and is present on their other…
Read More
[…] Solutions for their excellent posts on PKI in Active Directory, as well as their PSPKI PowerShell module, which our auditing toolkit is based […]