Errata in Windows ServerĀ® 2008 PKI and Certificate Security from MS Press
This article has been created in response to customer issues that have been brought up to Microsoft Support, forums, and other community connection points. The official location to submit errata for the Windows ServerĀ® 2008 PKI and Certificate Security book by Brian Komar is on the O'Reilly Web Site (http://www.oreillynet.com/cs/catalog/create/errata/?b=13153). The purpose of this article is to organize errata for submission and allow people to contribute to the errata reporting rapidly as a community. This article is not meant to discourage people from reading this commonly recommended and praised book - instead, you are encouraged to read the book with the knowledge that there are a few issues inside.
| Chapter | Title | Page | Error Description | Additional notes |
| 6 | CAPolicy.inf sample | 134 | In the book :
CRLPeriod=3 CRLPeriodUnits=days CRLOverlapPeriod=4 CRLOverlapPeriodUnits=hours CRLDeltaPeriod=12 CRLDeltaPeriodUnits=hours Use the following instead as (overlaps are not read from CAPolicy.inf): CRLPeriod=3 CRLPeriodUnits=days CRLDeltaPeriod=hours CRLDeltaPeriodUnits=12 |
Confirmed |
| 6 | Implementing a CA Hierarchy | 135 | Example CAPolicy.inf is missing [Cert_Server] section just above renewlkeylength=2048 | Pending triage |
| 10 | Certificate Revocation | 219 | On the Extensions tab, select the added Online Responder URL, select the Include In The AIA Extension Of Issued Certificates and Include In The Online Certificate Status Protocol (OCSP) Extension check boxes, and then click OK.
Should read: On the Extensions tab, select the Issued Certificates and then select Include In The Online Certificate Status Protocol (OCSP) Extension check box, and then click OK. |
Pending triage |
| 10 | Certificate Revocation | 219 | To designate that the URL is included in the AIA extension and is published as an OCSP extension, a value of 34 is assigned.
Should read: You should not select Include in the AIA extension of issued certificates when specifying the AIA for OCSP. You should select only Include in the online certificate status protocol (OCSP) extension, otherwise OCSP will appear as broken in the Enterprise PKI (pkiview.msc) application. |
Confirmed |
| 10 | Certificate Revocation | 221 | By selecting the Auto-Enroll for an OCSP Signing Certificate check box, the OCSP Responder will automatically enroll and renew its OCSP signing certificate per the renewal settings in the certificate template.
Should read: The OCSP Signing Certificate should not have the Autoenroll checkbox selected. The renewal will happen automatically without the autoenroll checkbox selected. Do not select the autoenroll checkbox because OCSP enrollment will not work properly if you do. |
Confirmed |
Additional references:
- OREILLY: Books and Videos: Unconfirmed Errata for Windows Server(r) 2008 PKI and Certificate Services
- OREILLY: Books and Videos: Confirmed Errata for Windows Server(r) 2008 PKI and Certificate Services