Archive for the ‘Windows Server 2008’ Category

Public Key Infrastructure at Microsoft – 2008 R2 Edition

October 3rd, 2011 Comments off

Microsoft IT has released an updated version of the “Public Key Infrastructure at Microsoft” whitepaper found at or here Public Key Infrastructure at Microsoft 1750_PKI_TWP

The update deals with changes to the Microsoft internal PKI structure as part of the Windows Server 2008 R2 migration. There are many good “lessons learned and best practicess” outlined by Microsoft IT as a result of the migration/upgrade process that was performed.

Some of my favorites are the way they use CRL Overlap to provide higher availablity of CRLs and the simplified two tier structure together with Cross Forest Enrollment and the discussions about virtualisation of CAs

Some of the highlighted features in the document are:

Windows Server 2008:

  • Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis
  • Enhanced performance monitoring with the addition of new performance counters
  • Scalable, high-speed revocation status response services that combine CRLs and integrated Online Responder services
  • Support for Cryptography Next Generation (CNG) to enable the use of Suite B algorithms
  • Enhanced service monitoring with the introduction of the Windows Server 2008 AD CS Management Pack for Microsoft Operations Manager 2005
  • More detailed server administration with restricted certificate managers
  • Failover cluster support

Windows Server 2008 R2:

  • Cross-forest enrollment capability that allows for consolidation of existing hardware
  • Databaseless CA feature to avoid storing unnecessary certificate records
  • Best Practice Analyzer for improved configuration practices
  • Web-based certificate enrollment protocol to allow enrollment over the Internet


"Rip and Replace" certificate services from Windows Server 2003 to 2008

September 29th, 2008 Comments off

Is it possible to migrate a Windows Server 2003 based Certification Authority to Windows Server 2008?

The answer is yes but you need all detailes in the Active Directory Certificate Services Upgrade and Migration Guide from Microsoft found at

The short answer would be that you need to performe the following steps:

  1. Backup your existing CA using the certutil -backup command
  2. Install the new Windows Server 2008 CA with the same name as the replaced server
  3. Add the ADCS role and import the CA-certificate from the backup
  4. Upgrade the templates to WS2008
  5. Restore the old CA database using the certutil -restore  command



Categories: ADCS, certutil, Security, Windows Server 2008 Tags: