Windows PKI Documentation Reference and Library
This page was initially a copy from http://blogs.technet.com/b/pki/archive/2007/08/19/windows-pki-documentation-reference.aspx. Since TechNet Wiki is better suited to maintain continuously enhancing information, we will maintain the link library here.
General information
- Reducing the operational risk when defending the open network with Microsoft PKI
- Security Glossary
- Public Key Infrastructure
- Certificate Services overview
- Active Directory Certificate Services Overview
- Active Directory Certificate Services Frequently Asked Questions (AD CS FAQ)
- Certificate Services Technical Reference
- Cryptographic Services (MSDN Reference)
- How CA Certificates Work
- How Certificates Work
- Cryptography Tools (MSDN Reference)
- Windows Server 2012: AD CS Administration Cmdlets in Windows PowerShell
- Windows Server 2012: AD CS Deployment Cmdlets in Windows PowerShell
- Windows Server 2012 and Windows 8: PKI Client Cmdlets in Windows PowerShell
- CodePlex: Public Key Infrastructure PowerShell module (PSPKI)
Community Forum
What's New?
Windows Server 2012: What's New in AD CS?
Windows Server 2012 and Windows 8: What's New Client Certificates Overview
- Windows Server 2012 and Windows 8: [[AD DS Site Awareness for AD CS and PKI Clients]]
- Windows Server 2012 and Windows 8: [[Certificates How To]]
- Windows Server 2012 and Windows 8: [[Certificate Services Lifecycle Notifications]]
- Windows Server 2012: Certificate Template Versions and Options
- Windows Server 2012: Creating a certificate template that includes the Microsoft Platform Crypto Provider on a CA with no TPM
- Windows Server 2012: AD CS Administration Cmdlets in Windows PowerShell
- Windows Server 2012: AD CS Deployment Cmdlets in Windows PowerShell
- Windows Server 2012 and Windows 8: PKI Client Cmdlets in Windows PowerShell
- Windows Server 2012: Delegated Installation for an Enterprise Certification Authority
Windows Server 2008: Certificate Server Enhancements in Windows Server codename "Longhorn" whitepaper
Active Directory Certificate Server Enhancements in Windows Server 2008 R2
PKI Enhancements in Windows XP Professional and Windows Server 2003
Planning
- PKI Design Guidance
- Infrastructure Planning and Design Guide for Active Directory Certificate Services
- Ten Risks of PKI: What You’re not Being Told about Public Key Infrastructure
- Microsoft root certificate program members
- Planning Your Public Key Infrastructure
- Designing and Implementing a PKI: Part I Design and Planning
- Designing and Implementing a PKI: Part II
- Designing and Implementing a PKI: Part III Certificate Templates
- Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival
- Designing and Implementing a PKI: Part V Disaster Recovery
- Designing your own PKI Infrastructure
- Scale testing the world’s largest PKI… all running on WS08R2 and Hyper-V
- To Cluster or Not to Cluster CAs
- Windows XP Professional: Certificate Revocation and Status Checking
- Choosing Security Solutions That Use Public Key Technology
- Cryptography for Network and Information Security
- HSPD-12 Logical Access Authentication and Active Directory Domains
Deployment
This section is divided into role services as specific implementation types.
Certification Authority
Windows Server 2012: Certification Authority Guidance
Windows Server 2012: AD CS Deployment Cmdlets in Windows PowerShell
Windows Server 2008 R2: AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
Windows Server 2008 R2: Step by Step Guide - Single Tier PKI Hierarchy Deployment
Windows Server 2008 R2: Installing a Suite B Only PKI with Windows Server 2008 R2
Windows Server 2008: Download of the Infrastructure Planning and Deployment guide for the Active Directory Certificate Services (AD CS)
Windows Server 2003: Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
Windows Server 2003: Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003
Extended Validation support for websites using internal certificates
Certificate Templates and their Storage within Active Directory
Windows 2008 PKI- This article contains a step-by-step walkthrough about building offline root CA and online issuing CA, but there are some errors. For example, it recommends establishing actual locations for the CDP and AIA on the root CA, which should not be done (as stated in the sample CAPolicy.inf
High Availability - Clustering
- Windows Server 2012, Windows Server 2008 R2, Windows Server 2008: Active Directory Certificate Services (AD CS) Clustering
- Windows Server 2008 and 2008 R2: Configuring and Troubleshooting Certification Authority Clustering (download)
CA Migration
- Windows Server 2012, Windows Server 2008, Windows Server 2003: Active Directory Certificate Services Migration Guide
Certification Authority Web Enrollment (CAWE)
- Windows Server 2012: Certification Authority Web Enrollment Guidance
- Windows Server 2012: AD CS Deployment Cmdlets in Windows PowerShell
- How to configure the Windows Server 2008 CA Web Enrollment Proxy
Certificate Enrollment Web Services (CEP and CES)
- Windows Server 2012: Certificate Enrollment Web Service Guidance
- Implementing Certificate Enrollment Web Services in Windows Server® 2012 that uses an Issuing CA with spaces in the name
- Windows Server 2012: Certificate Enrollment Policy Web Service Guidance
- Windows Server 2012: Test Lab Guide: Demonstrating Certificate Key-Based Renewal
- Windows Server 2012: AD CS Deployment Cmdlets in Windows PowerShell
- Windows Server 2012, Windows Server 2008: Certificate Enrollment Web Services in Active Directory Certificate Services
- Windows Server 2008: Certificate Enrollment Web Services (Ask DS Blog)
- Windows Server 2008 R2: Certificate Enrollment Web Services in Windows Server 2008 R2 (Whitepaper download)
Network Device Enrollment Services (NDES and MSCEP and SCEP)
- Windows Server 2012: Network Device Enrollment Service Guidance
- Windows Server 2012: AD CS Deployment Cmdlets in Windows PowerShell
- Windows Server 2012, Windows Server 2008: Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
- Windows Server 2008: Configuring Network Device Enrollment Service for Windows Server 2008 with Custom Certificates (Ask DS Blog)
Online Certificate Status Protocol (OCSP)
- Windows Server 2012, Windows Server 2008, Windows Server 2003: Online Responder Installation, Configuration, and Troubleshooting Guide
- Windows Server 2012: AD CS Deployment Cmdlets in Windows PowerShell
- Windows Server 2003: Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services
- Implementing an OCSP responder
Certificate Enrollment, Autoenrollment, Interforest (cross-forest) Enrollment
- Windows Server 2012, Windows Server 2008: Certificate Enrollment Web Services in Active Directory Certificate Services
- Windows Server 2012: Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services
- Windows Server 2012 and Windows 8: PKI Client Cmdlets in Windows PowerShell
- Windows Server 2008 R2: Cross-forest Certificate Enrollment with Windows Server 2008 R2
- Windows Server 2003: Certificate Autoenrollment in Windows Server 2003
- Windows Server 2003: Advanced Certificate Enrollment and Management
- Creating "Wildcard" Certificate Requests for IIS using the Windows Vista/Server 2008 Certificates MMC plugin
- Certificate Creation Tool (Makecert.exe)
- Certreq Tool
- Certreq.exe Syntax
- Certutil Tool
Smart Cards
Credential Roaming
- Windows Server 2012, Windows Server 2008, Windows 2003, Windows XP, Windows 7, Windows 8: Credential Roaming
- Windows Server 2003: Configuring and Troubleshooting Certificate Services Client–Credential Roaming
- Windows Server 2003: Webcast: Credential Roaming Basics
Backup, Restore, Disaster Recovery
- Windows Server 2012 Active Directory Certificate Services System State Backup and Restore
- [[Active Directory Certificate Services PKI - Key Archival and Management]]
- Certificate Services example implementation: Key archival and recovery
Operations
- Windows Server 2012: AD CS Administration Cmdlets in Windows PowerShell
- Windows Server 2003 PKI operations and configuration guide
- Key Archival and Management in Windows Server 2003
- [[Active Directory Certificate Services PKI - Key Archival and Management]]
- Certificate Services example implementation: Key archival and recovery
- Troubleshooting Certificate Status and Revocation
- TechNet Support WebCast: Best practices for relocating certification authority and for failure recovery
- TechNet Support WebCast: Troubleshooting and evaluating Public Key Infrastructure health in Microsoft Windows Server 2003 and Microsoft Windows 2000
- How to move a certification authority to another server
- HOWTO: Move a certificate authority to a new server running on a domain controller
- How to remove manually Enterprise Windows Certificate Authority from Windows 2000/2003 Domain
- Custom extensions in the CAPolicy.inf file does not take effect after you renew the root CA certificate by using a new key
- How to make a stand-alone certification authority compliant with ISIS-MTT version 1.1
- How to make an Enterprise certification authority compliant with ISIS-MTT version 1.1
- Digital Certificates Cleanup Script
- CRL freshness checking scripts
- Certificate Chaining Engine — how this works
- Windows Server 2008 R2 CAPolicy.inf Syntax
- Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services (AD CS)
- Certutil tasks for managing certificates
- Certutil Examples for Managing Active Directory Certificate Services (AD CS) from the Command Line
- Active Directory Certificate Services SMTP Exit Module for Windows Server 2008 R2 Example
Troubleshooting
- Troubleshooting PKI Problems in Windows
- Large CRLs: What is Added to a Certificate Revocation List (CRL)?
- Windows Vista: Troubleshooting PKI problems on Windows Vista
- Windows Server 2012, Windows Server 2008, Windows Server 2003: Online Responder Installation, Configuration, and Troubleshooting Guide
- Certificate Templates Not Available for Windows 7 and Windows Server 2008 R2 Certificate Recipients using Certificate Enrollment Web Services
- Windows Server 2003: Configuring and Troubleshooting Certificate Services Client–Credential Roaming
- Troubleshooting Certificate Status and Revocation
- Custom extensions in the CAPolicy.inf file does not take effect after you renew the root CA certificate by using a new key
- You cannot download CA certificate from web enrollment pages
- Active Directory Certificate Services (AD CS): Error: "In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication"
- Windows Server 2012: Creating a certificate template that includes the Microsoft Platform Crypto Provider on a CA with no TPM
- How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects
Develop
- Windows Client Certificate Enrollment Protocol Specification
- Certificate Services Remote Administration Protocol
- Cryptographic Services
- Cryptography Reference
- Cryptography, CryptoAPI, and CAPICOM
- Customizing the Certificate Services Web Enrollment Pages
- Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI
- Code-Signing Best Practices
Books
Lost Links and Information
If you find this information, please, link to it and place it in the appropriate section above. If you find broken links from above and cannot fix, please, drop the lost information in this section.
- TechNet Support WebCast: Best Practices for Public Key Infrastructure: Steps to build an offline root certification authority (part 1 of 2)
- TechNet Support WebCast: Best practices for Public Key Infrastructure: Setting up an offline subordinate and an online enterprise subordinate (part 2 of 2)
- TechNet Webcast: Deploying a PKI Solution with Active Directory Certificate Services
- TechNet Webcast: Deploying PKI Inside Microsoft