======Microsoft - Certificate Authority======

[[http://technet.microsoft.com/en-us/library/cc534992.aspx|TechNet - Active Directory Certificate Services]] Pagina met links naar de voor AD CS relevante pagina's op TechNet. \\
[[http://technet.microsoft.com/en-us/library/cc783511(WS.10).aspx|TechNet - Certificate Services]] pagina met links naar een aantal checklists voor installatie en algemene CA informatie. \\

[[http://technet.microsoft.com/en-us/library/cc740209(WS.10).aspx|TechNet - Renewing a certification authority]] \\

[[http://support.microsoft.com/kb/2615174/en-us|Microsoft Support - "0x80092013, CRYPT_E_REVOCATION_OFFLINEA" error message when you try to verify a certificate that has multiple chains in Windows Server 2008 R2 or in Windows 7 (KB2615174)]] \\

[[http://support.microsoft.com/kb/931125/en-us|Microsoft Support - Windows root certificate program members]] \\
[[http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx|TechNet Blogs » Windows PKI blog » SHA1 Deprecation Policy]] \\

[[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc776447(v=ws.10)|Microsoft Learn - How Certificates Work]]


=====Blogposts/Articles=====

[[http://blogs.technet.com/b/lrobins/archive/2008/12/29/publishing-delta-crls-on-iis-7.aspx|TechNet Blogs > An Infrastructure Geek Floating in a Sea of UberCoders > Publishing Delta CRLs on IIS 7]] \\
[[http://www.corelan.be/index.php/2008/07/14/windows-2008-pki-certificate-authority-ad-cs-basics/|Corelan Team - Windows 2008 PKI / Certificate Authority (AD CS) basics]] \\
[[http://social.technet.microsoft.com/wiki/contents/articles/11750.step-by-step-guide-single-tier-pki-hierarchy-deployment-en-us.aspx#Enable_Double_Escaping_on_IIS_Server|Wiki  >  TechNet Articles  >  Step by Step Guide - Single Tier PKI Hierarchy Deployment (en-US)]] \\
[[http://beccabits.com/2011/06/06/post-installation-script-post_install-bat-template-for-windows-server-2008-r2-policy-ca/|BeccaBits - Post Installation Script (Post_Install.bat) Template for Windows Server 2008 R2 Policy CA]] \\
[[http://technet.microsoft.com/en-us/library/cc782266%28v=ws.10%29|TechNet - Windows Server Library - AIA Publishing Properties]] \\
[[http://technet.microsoft.com/en-us/library/cc784969%28v=ws.10%29|TechNet - Windows Server Library - CRL Distribution Point Replacement Token]] \\

[[http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx|TechNet Blogs > Windows PKI blog > Basic CRL checking with certutil]] \\

[[https://learn.microsoft.com/en-us/archive/blogs/russellt/custom-ldap-certs|Microsoft Learn - Creating Custom Secure LDAP Certificates for Domain Controllers with Auto Renewal]]

[[https://xdot509.blog/|xdot509.blog]] \\
[[https://xdot509.blog/2020/12/21/ldaps-domain-controller-certificates/|xdot509.blog - LDAPS / Domain Controller Certificates]]


====Certificates with RSA key <1024 bits blocked after KB 2661254====

[[http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx|TechNet Blogs > Windows PKI blog > RSA keys under 1024 bits are blocked]] \\
[[http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx|TechNet Blogs > Windows PKI blog > Blocking RSA Keys less than 1024 bits (part 2)]] \\
[[http://technet.microsoft.com/en-us/security/advisory/2661254|Security TechCenter > Security Advisories > Microsoft Security Advisory (2661254)]] \\
[[http://support.microsoft.com/kb/2661254/en-us|Microsoft Support - Microsoft Security Advisory: Update for minimum certificate key length]] \\
[[http://blogs.technet.com/b/momteam/archive/2012/08/01/important-hp-ux-pa-risc-computers-monitored-by-operations-manager-will-experience-heartbeat-and-monitoring-failures-after-an-upcoming-windows-update.aspx|System Center: Operations Manager Engineering Blog - IMPORTANT: HP-UX PA-RISC computers monitored by Operations Manager will experience heartbeat and monitoring failures after an upcoming Windows update]] \\


====NDES/SCEP====

[[http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx|Wiki  >  TechNet Articles  >  Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)]] \\
[[http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx|TechNet Blogs > Windows PKI blog > Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)]] \\
[[http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx|Ask the Directory Services Team - iPad / iPhone Certificate Issuance]] \\
[[https://discussions.apple.com/thread/2198458?start=0&tstart=0|Apple Support Communities > iPhone > iPhone in the Enterprise > Discussions - iPhone & certificate enrollment OTA via SCEP]] \\

[[http://technet.microsoft.com/en-us/library/569cd0df-3aa4-4dd7-88b8-227e9e3c012b.aspx|TechNet - Windows Server 2008 - AD CS: Network Device Enrollment Service]] \\
[[http://technet.microsoft.com/en-us/library/cc755273.aspx|TechNet - Windows Server 2008 R2 - Use the Network Device Enrollment Service]] \\
[[http://technet.microsoft.com/en-us/library/cc770911.aspx|Technet - Windows Server 2008 R2 - Configure the Network Device Enrollment Service]] \\


=====Auto-enrollment=====

[[https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment|Microsoft Learn - Windows Server - Configure certificate auto-enrollment]] \\
[[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb456981(v=technet.10)|Microsoft Learn - Certificate Autoenrollment in Windows XP]] \\
[[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778954(v=ws.10)|Microsoft Learn - Certificate Autoenrollment in Windows Server 2003]] \\
[[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755801(v=ws.10)|Microsoft Learn - Troubleshooting (Certificate Autoenrollment in Windows Server 2003)]] \\
[[https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-1.aspx|Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 (part 1)]] \\
[[https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-2.aspx|Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 (part 2)]] \\
[[https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-3.aspx|Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 (part 3)]] \\
[[https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-4.aspx|Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 (part 4)]] \\
[[https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-summary.aspx|Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 — Summary]] \\
[[https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cersod/dd492d51-9c18-4d52-a8db-e9cfe35a80b2|Microsoft Learn - Open Specification - [MS-CERSOD]: 2.1.2.2.2 Autoenrollment in a Domain Environment]] \\
[[https://blog.matrixpost.net/configure-certificate-auto-enrollment/|matrixpost - Configure certificate auto-enrollment]] also describes user auto-enrollment for Outlook S/MIME. \\



====Domain Controller certificate auto-enrollment====

In short: If an Enterprise CA is available and the Domain Controllers certificate is published (it is by default) Domain Controllers will auto-enroll to the Domain Controllers certificate template, (even) when auto-enrollment is not configured via GPO.

[[https://morgansimonsen.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment/|Morgan Simonsen's Blog - Active Directory Domain Controllers and certificate auto-enrollment]] \\
[[https://dirteam.com/sander/2022/09/14/todo-upgrade-the-certificates-for-your-windows-server-2016-based-domain-controllers-and-up-to-enable-windows-hello-for-business-hybrid-scenarios/|The things that are better left unspoken - TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios]] \\


=====SAN certificates=====

[[http://blogs.technet.com/b/industry_insiders/archive/2007/03/23/creating-subject-alternative-name-certificates-with-microsoft-certificate-server.aspx|The Industry Insiders - Creating Subject Alternative Name Certificates with Microsoft Certificate Server]] \\
[[http://www.sharepointsecurity.com/sharepoint/creating-certificates-with-dual-san-attributes/|ARB Security Solutions - Creating Certificates With Dual San Attributes]] \\


=====Notes=====


====Verify certificate====

<code>
certutil -verify -urlfetch c:\digicert.cer >cert1.txt
</code>
Source:[[http://social.technet.microsoft.com/Forums/en/exchange2010/thread/299c8ebe-223c-43ab-8cbc-c8221991813a|TechCenter > Exchange Server 2010 Forums >  Exchange Server 2010 >  The Certificate Status could not be determined because the revocation check failed]] \\


====Problem: Submitting a request via the Certification Authority console results in error====

Error:
<file>
The request contains no certificate template information.
0x80094801 (-2146875391)
Denied by Policy Module 0x80094801, The request does not
contain a certificate template extension or the Certificate Template
request attribute.
</file>
Solution: Use the following to request the certificate:
<code>
certreq.exe -submit -attrib "CertificateTemplate:WebServer" c:\setup\certificate.req
</code>
Then select the CA that should sign the certificate and save the signed certificate somewhere.
Source:[[http://www.exchangeinbox.com/article.aspx?i=127|ExchangeInbox.com - Replacing the Exchange 2007 Self-Signed Certificate (Part 2)]]