Active Directory Certificate Services (AD CS) Survival Guide

This "Survival Guide" aims to gather all materials related to Active Directory Certificate Services (AD CS). Feel free to add content, links and information relevant to the subject.

Getting Started

• PKI Design Guidance
• Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide
• Certificates Help (en-US)
• Active Directory Certificate Services (AD CS) Overview
• Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
• AD CS Security Guidance
• Certificate Status and Revocation Checking
• Active Directory Certificate Services Performance Reports
• AD CS on Virtual Machines
• Certificate Chaining Engine (CCE)
• Windows PKI Documentation Reference and Library
• Active Directory Certificate Services Learning Roadmap Community Edition
• Certification Authority Root Signing
• Certificates How To
• How to Use the Certificates Console

Books

• Windows Server® 2008 PKI and Certificate Security

Planning and Deployment

• Certificate Template Versions and Options
• Step by Step Guide - Single Tier PKI Hierarchy Deployment (en-US)
• Active Directory Certificate Services (AD CS) Clustering (en-US)
• Offline Root Certification Authority (CA)
• Deploying AD CS Using Windows PowerShell
• AD CS Deployment Guidance (en-US)
• Running AD CS on Server Core (en-US)
• Updated requirements for a Windows Server 2008 R2 domain controller certificate from a 3rd party CA
• History of Network Device Enrollment Service (NDES) and Considering its New Features in Windows Server 2008/2008 R2
• Certificate Template Versions and Options

Management

• Certutil Examples for Managing Active Directory Certificate Services (AD CS) from the Command Line
• Configuring Certificate Template: "A Certificate could not be created. A private key could not be created."
• AD CS Remote Server Management
• Root CA certificate renewal
• Active Directory Certificate Services PKI - Key Archival and Management
• Reduce the Operational Risk When Defending the Open Network with Microsoft PKI
• Creating a certificate template that includes the Microsoft Platform Crypto Provider on a CA with no TPM

Monitoring

Keeping

• How to Set a Static DCOM Port for AD CS
• AD CS: How to Obtain a List of Certificate Templates that are Superceding other Certificate Templates

Windows Root Certificate

• Windows Root Certificate Program - Members List (All CAs)
• Introduction-to-the-Microsoft-Root-Certificate-Program
• Windows Root Certificate Program Members (en-US)
• May 2010 Root Update - new CAs and new root certificates
• Windows Root Certificate Members (August 2010)
• Windows Root Certificate Members (October 2010)
• Windows Root Certificate Members (March 2011)
• Windows Root Certificate Members (June 2011)
• Windows Root Certificate Members (June 2011)
• Windows Root Certificate Program Members (November 2011)
• Windows Root Certificate Program Members (February 2012)
• Windows Root Certificate Program Members (March 2012)
• Windows Root Certificate Program Members (April 2012)

Troubleshooting

• Certification Authority Web Enrollment Configuration Failed 0x80070057 (WIN32: 87) (en-US)
• Active Directory Certificate Services (AD CS): How to Restore the pKIEnrollmentService object
• Active Directory Certificate Services (AD CS): Error: "In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication"
• AD CS: Certificate Authority installation fails: "Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)"
• AD CS Error: "The directory name is invalid." 0x8007010b (WIN32/HTTP:267)
• You cannot download CA certificate from web enrollment pages
• Troubleshooting Certificate Autoenrollment in Active Directory Certificate Services (AD CS)
• Incompatible with Windows Server 2008 Enterprise (Version 3 or V3) Certificate Templates
• Active Directory Certificate Services PKI Troubleshooting Survival Guide Reference
• You cannot submit a certificate request generated by Exchange Management Console (EMC) or Exchange Management Shell (EMS) to Microsoft Certificate Services
• How to Change/Extend the Expiration Date of Certificates that Are Issued by a Windows Server 2008 or a Windows Server 2003 Certificate Authority

Tools

• Certutil

Videos

Blogs

Microsoft Team Blog:

• Windows PKI blog
• Ask the Directory Services Team - PKI Articles

Blogs maintained by the community:

-

Forums

Certifications

Twitters

Protocol Workloads Poster

Virtual Labs

• Test Lab Guide: Converting a Single-Tier PKI CA Hierarchy to a Two-Tier PKI Hierarchy

See Also

• Wiki: List of Technologies and Related Topics
• Wiki: Survival Guides Portal