ADCS Resources

---

Misc Links

• https://vimeo.com/nicconf/review/35053082/aaff51b192
• https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
• https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx
• https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/
• https://blogs.technet.microsoft.com/askds/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning/
• https://blogs.technet.microsoft.com/askds/2009/10/13/designing-and-implementing-a-pki-part-ii-implementation-phases-and-certificate-authority-installation/
• https://blogs.technet.microsoft.com/askds/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates/
• https://blogs.technet.microsoft.com/askds/2011/04/06/designing-and-implementing-a-pki-part-iv-configuring-ssl-for-web-enrollment-and-enabling-key-archival/
• https://blogs.technet.microsoft.com/askds/2011/04/07/designing-and-implementing-a-pki-part-v-disaster-recovery/
• https://blogs.technet.microsoft.com/askds/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp/
• https://blogs.technet.microsoft.com/askds/2009/06/25/implementing-an-ocsp-responder-part-ii-preparing-certificate-authorities/
• https://blogs.technet.microsoft.com/askds/2009/06/29/implementing-an-ocsp-responder-part-iii-configuring-ocsp-for-use-with-enterprise-cas/
• https://blogs.technet.microsoft.com/askds/2009/06/30/implementing-an-ocsp-responder-part-iv-configuring-ocsp-for-use-with-standalone-cas/
• https://blogs.technet.microsoft.com/askds/2009/08/20/implementing-an-ocsp-responder-part-v-high-availability/
• https://blogs.technet.microsoft.com/askds/2009/08/21/implementing-an-ocsp-responder-part-vi-configuring-custom-ocsp-uris-via-group-policy/
• https://social.technet.microsoft.com/Profile/chdelay/activity
• https://blogs.technet.microsoft.com/xdot509/2013/03/22/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-wrap-up/
• https://blogs.technet.microsoft.com/pki/2009/08/07/understanding-key-archival/

Never add a CPS to a root server

If you have an intermediate server you should not add a CPS to your root server. Only the intermediate should have the CPS.

• https://www.sysadmins.lv/blog-en/certificate-policies-extension-all-you-should-know-part-1.aspx

Don’t add an CDP LDAP location on an offline Root if CDP http location is HA

• https://serverfault.com/questions/732655/removing-ldap-from-cdp-aia-in-a-microsoft-pki

Use a random OID or apply for a proper PEM

• https://security.stackexchange.com/questions/26516/what-oid-issuance-policies-are-appropriate-for-smartcard-and-browser-certificate

RFC3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework

• https://tools.ietf.org/html/rfc3647

ADCS Delegation

• https://blog.keyfactor.com/ad-cs-web-enrollment-delegation

How to Decommission an old CA

• https://support.microsoft.com/en-us/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r

NDES servers can’t be HA

• https://social.technet.microsoft.com/wiki/contents/articles/12610.network-device-enrollment-services-ndes-frequently-asked-questions-faq.aspx

Using a gMSA for your NDES Service

• https://blogs.technet.microsoft.com/pki/2015/04/26/setting-up-ndes-using-a-group-managed-service-account-gmsa/

Setting up an NDES Server

• https://www.slsmk.com/installing-scep-using-microsoft-ndes/
• https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/
• https://blogs.technet.microsoft.com/askds/2011/07/12/ill-take-ndes-in-the-dmz-for-1000-alex/
• https://blogs.technet.microsoft.com/askds/2010/11/22/ipad-iphone-certificate-issuance/

Enable SANs via ADCS Web Enrollment Pages

• https://ammarhasayen.com/2010/12/17/how-to-request-a-san-certificate-using-ms-ca-web-enrollment-pages/
• https://docs.microsoft.com/en-us/windows/desktop/SecCrypto/customizing-the-certificate-services-web-enrollment-pages

Getting Kerberos Working with CA Web Enrollment Proxy

• https://blogs.technet.microsoft.com/askds/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy/
• https://sharepointlink.blogspot.com/2010/07/iis-7-kernel-mode-authentication.html

Web Enrollment Won’t Show Templates

• https://support.microsoft.com/en-us/help/2015796/version-3-cng-templates-will-not-appear-in-windows-server-2008-or-wind
• https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx#Permissions_Required_for_the_Network_Device_Enrollment_Service
• https://blogs.technet.microsoft.com/mspfe/2012/12/27/how-to-avoid-having-users-enroll-for-multiple-certificates/