Table of Contents
Microsoft - Certificate Authority
TechNet - Active Directory Certificate Services Pagina met links naar de voor AD CS relevante pagina's op TechNet.
TechNet - Certificate Services pagina met links naar een aantal checklists voor installatie en algemene CA informatie.
TechNet - Renewing a certification authority
Microsoft Support - Windows root certificate program members
TechNet Blogs » Windows PKI blog » SHA1 Deprecation Policy
Blogposts/Articles
TechNet Blogs > An Infrastructure Geek Floating in a Sea of UberCoders > Publishing Delta CRLs on IIS 7
Corelan Team - Windows 2008 PKI / Certificate Authority (AD CS) basics
Wiki > TechNet Articles > Step by Step Guide - Single Tier PKI Hierarchy Deployment (en-US)
BeccaBits - Post Installation Script (Post_Install.bat) Template for Windows Server 2008 R2 Policy CA
TechNet - Windows Server Library - AIA Publishing Properties
TechNet - Windows Server Library - CRL Distribution Point Replacement Token
TechNet Blogs > Windows PKI blog > Basic CRL checking with certutil
Microsoft Learn - Creating Custom Secure LDAP Certificates for Domain Controllers with Auto Renewal
xdot509.blog
xdot509.blog - LDAPS / Domain Controller Certificates
Certificates with RSA key <1024 bits blocked after KB 2661254
TechNet Blogs > Windows PKI blog > RSA keys under 1024 bits are blocked
TechNet Blogs > Windows PKI blog > Blocking RSA Keys less than 1024 bits (part 2)
Security TechCenter > Security Advisories > Microsoft Security Advisory (2661254)
Microsoft Support - Microsoft Security Advisory: Update for minimum certificate key length
System Center: Operations Manager Engineering Blog - IMPORTANT: HP-UX PA-RISC computers monitored by Operations Manager will experience heartbeat and monitoring failures after an upcoming Windows update
NDES/SCEP
Wiki > TechNet Articles > Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
TechNet Blogs > Windows PKI blog > Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES)
Ask the Directory Services Team - iPad / iPhone Certificate Issuance
Apple Support Communities > iPhone > iPhone in the Enterprise > Discussions - iPhone & certificate enrollment OTA via SCEP
TechNet - Windows Server 2008 - AD CS: Network Device Enrollment Service
TechNet - Windows Server 2008 R2 - Use the Network Device Enrollment Service
Technet - Windows Server 2008 R2 - Configure the Network Device Enrollment Service
Auto-enrollment
Microsoft Learn - Windows Server - Configure certificate auto-enrollment
Microsoft Learn - Certificate Autoenrollment in Windows XP
Microsoft Learn - Certificate Autoenrollment in Windows Server 2003
Microsoft Learn - Troubleshooting (Certificate Autoenrollment in Windows Server 2003)
Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 (part 1)
Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 (part 2)
Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 (part 3)
Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 (part 4)
Sysadmins LV - Certificate Autoenrollment in Windows Server 2016 — Summary
Microsoft Learn - Open Specification - [MS-CERSOD]: 2.1.2.2.2 Autoenrollment in a Domain Environment
matrixpost - Configure certificate auto-enrollment also describes user auto-enrollment for Outlook S/MIME.
Domain Controller certificate auto-enrollment
In short: If an Enterprise CA is available and the Domain Controllers certificate is published (it is by default) Domain Controllers will auto-enroll to the Domain Controllers certificate template, (even) when auto-enrollment is not configured via GPO.
Morgan Simonsen's Blog - Active Directory Domain Controllers and certificate auto-enrollment
The things that are better left unspoken - TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
SAN certificates
The Industry Insiders - Creating Subject Alternative Name Certificates with Microsoft Certificate Server
ARB Security Solutions - Creating Certificates With Dual San Attributes
Notes
Verify certificate
certutil -verify -urlfetch c:\digicert.cer >cert1.txt
Problem: Submitting a request via the Certification Authority console results in error
Error:
The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.
Solution: Use the following to request the certificate:
certreq.exe -submit -attrib "CertificateTemplate:WebServer" c:\setup\certificate.req
Then select the CA that should sign the certificate and save the signed certificate somewhere. Source:ExchangeInbox.com - Replacing the Exchange 2007 Self-Signed Certificate (Part 2)