The PKI Guy Blog

2017 PKI Training Schedule Now Live – Register Today!

By ThePKIGuy | Oct 6, 2016

It’s here, the 2017 PKI Training schedule is now live and accepting registrations. There are three In-Depth classes and two Advanced PKI classes split between the US and Europe. Be sure to check out the schedule and register early as classes usually sellout in advance. San Jose CA (Feb 7-9) – Introduction to PKI, Certificates…

Read More

Offline CA Maintenance – What Do You Really Need to Do?

By ThePKIGuy | Oct 4, 2016

In a previous post, I discussed the configuration and isolation of true offline Certificate Authorities. There I made reference to the fact that an offline CA is one that never sees the light of day, figuratively that is. The CA should be air-gaped from the network, which requires physical access to the CA to manage and…

Read More

Leveraging Smart Card Beyond Logons

By ThePKIGuy | Aug 23, 2016

While working with a customer recently, an interesting need came up that required me to rummage through my treasure-trove of random PKI and certificate knowledge. This was apparently so well hidden, I had to reach out to an old friend still at Microsoft to remind me what the heck it’s called! One of the things…

Read More

Offline Certificate Authority – What Exactly Does that Mean?

By ThePKIGuy | Aug 10, 2016

This post started as recommended maintenance and updates for offline CAs, and it became clear I should make this a two part post. So today I am covering what an Offline CA really means, and tomorrow I will cover recommendations for maintaining one of them. First, we must cover what I mean by Offline CA…

Read More

Microsoft OCSP Responders – Trust, Renewals and RFC 6960

By ThePKIGuy | Aug 1, 2016

Online Certificate Status Protocol (OCSP) provides an efficient mechanism for distributing certificate revocation information. When certificates are exchanged and validated, computers need to determine if the certificate has been revoked – meaning the CA has reason to consider the certificate as untrusted. This often placed in a Certificate Revocation List (CRL). Clients download this potentially large CRL…

Read More

CertAccord – The Genesis of a Simple Enrollment Solution for Linux

By ThePKIGuy | Jul 27, 2016

It comes as no surprise to anyone working with Microsoft products that the support and inclusion of operating systems other than Windows is often a second thought – if best. No where is this more prevalent than with Certificate Services – one of the most common questions during the design and deployment is “Well Mark,…

Read More

Certificate Template Request Hash – The Real Story

By ThePKIGuy | Jul 25, 2016

With a lot of focus on moving from SHA1 to SHA256, one question that I get a lot of is how to get certificates issued with SHA256. The short answer is that a CA signs everything is creates with a single hash signature algorithm. There is no mechanism that enables per-template based signature hash specification. So…

Read More

The Requested Template is not Supported by this CA (Error 0x80094800)

By ThePKIGuy | Jul 21, 2016

Today I was working with a customer and they mentioned they had just been contacted about an enrollment problem on one of their CAs. They had recently added a template to one of their Windows Server 2012 R2 CAs. The template had been in use for a long time and is present on their other…

Read More

New Certutil Argument – DownloadOCSP and Details of Caching issue with -Verify

By ThePKIGuy | Jul 20, 2016

During the development of my new ADCS Advanced PKI Training Class, I was working on creating a process to demonstrate how to manipulate the OCSP caching behavior in Windows. If you aren’t already aware, Microsoft OCSP responders use the expiration date of the authoritative CRL used for their answers as the expiration date (Next Update…

Read More