The PKI Guy Blog

Help a SME Out – Don’t Guess at Template Settings

By ThePKIGuy | May 2, 2017

One of the areas we spend time on in the PKI In-Depth class is learning about Certificate Templates. There are a lot of tabs in the template manager and a lot of specific settings on those tabs. I can certainly understand the desire to click those pretty checkboxes, toggle radio buttons and get lost in…

Read More

Ignore Revocation Checking – The bane of my existence!

By ThePKIGuy | Apr 20, 2017

As students in my PKI training classes know, one of the areas I am a vocal about is the blind use of the CRLF_REVCHECK_IGNORE_OFFLINE setting in a PKI environment. I am so adamantly against the use of this setting, I personally refuse to ever explicitly share or type the syntax to enable this nasty beast.…

Read More

What Your Browser Doesn’t Tell You Can Hurt You – Revocation and Internet Explorer

By ThePKIGuy | Feb 11, 2017

One of the topics I have been using as an example of revocation checking behavior in my PKI In-Depth class is the interesting case of Internet Explorer (IE) and its revocation behavior. Let’s take a moment and have you think about your assumption of how IE is behaving when you go to a HTTPS (SSL/TLS)…

Read More

RSASSA-PSS – Why Your Certificate Can’t Be Validated

By ThePKIGuy | Feb 1, 2017

A common theme has been arriving in my email box lately as well as many online forums. Consistently people are reporting error with certificates issued by their internal Microsoft ADCS based CAs. Problems range from Apple devices, Firefox, appliances and many other systems. When people examine their certificates they see that their certificates are SHA…

Read More

Windows Server 2016 – What’s New with ADCS

By ThePKIGuy | Dec 2, 2016

Well, here it is – the concise list of updates and changes to Active Directory Certificate Services (ADCS) for Windows Server 2016. I will go ahead and tell you now that there aren’t any new earth shattering features. Consider this an incremental set of improvements to ADCS. Remember that we still have things like Elliptical…

Read More

Creating a NDES Policy Module – A Programmers Guide

By ThePKIGuy | Nov 30, 2016

Microsoft introduced a great security improvement in Windows Server 2012 R2 to alter the standard Network Device Enrollment Service (NDES) security process. If you are familiar with the whitepaper I wrote for Microsoft (Securing and Hardening NDES) you’ll know I wrote about the disadvantages of using NDES for BYOD and Internet accessible enrollment solutions. The…

Read More

Certificate Transparency Enforcement and Microsoft CAs – Oct 2017 Deadline

By ThePKIGuy | Nov 29, 2016

To address some weaknesses in the public PKI trust process, Certificate Transparency (CT) was created to make it easier to detect and track fraudulent certificate issuance and use. The intent is that a small collection of log servers would contain information about valid certificates and browsers can check the log to see if a given certificate…

Read More

Submitting Netscape SPKI (SPKAC) Cert Requests to ADCS

By ThePKIGuy | Nov 11, 2016

Recently I was contacted on Twitter with a question about Microsoft’s support of Signed Public Key and Challenge (Netscape SPKI) for certificate enrollment requests. I have long taught in my classes that there are a number of formats supported by ADCS for certificate requests. So I consulted one of the tables I talk about in…

Read More

Palo Alto and Bluecoat SSL Appliances and your PKI Security

By ThePKIGuy | Oct 27, 2016

Over the last year a common question has surfaced repeatedly as customers look to adopt SSL Packet inspection services for outgoing connections. These appliances are designed to allow monitoring and management of data contained inside of normally protected SSL sessions being initiated inside the organization. In order for these appliances to work, they have to…

Read More