WS03 Certificate Services Web enrollment from other Windows versions

Posted on Updated on

Certificate Services are the Public Key Infrastructure (PKI) services from Microsoft for Windows Server 2003. A PKI consists of a hierarchy of 1 or more Certificate Authority (CA) entities. A component of Certificate Services is Web, used for enrollment of certificates via a web based way. Enrollment can be simply translated in this case as “requesting & receiving”. On WS08(R2) Certificate Services has become a part of Active Directory (AD) and is renamed as Active Directory Certificate Services (AD CS).

When you browse to a CA’s Certificates Services Web (http://DOMAIN/certsrv) from a system with Vista, WS08 or higher, you receive the following error if the CA is running WS03 SP2 (with WS03 pre-SP2 you get another error; more about this later): Read the rest of this entry »

CRL caching in Windows (and a little bit about OCSP caching too)

Posted on Updated on

A very dark topic for many people is CRL caching. It seems unimportant, too technical, not well documented and very difficult. Still, I think it’s important enough to embrace it and I hope you’ll see it’s a little bit easier than you probably think it is. In this article the focus is on Windows XP/Windows Server 2003 and upwards.

You can only understand the workings of CRL caching if you understand basic terms like a certificate, a PKI and a CRL. This article isn’t meant to explain everything about these terms (otherwise I’m actually writing a whole book), but I’m going to give a small introduction to CRLs nevertheless: many people have at least a decent idea about what a certificate or PKI is, but they start sweating from the point they hear terms like “CRL”. That’s why I’ll skip the theory about certificates and PKIs, but on the other hand introduce you to CRLs anyway. So if you don’t know what a certificate or PKI is, this article is above your head. If you do, don’t hesitate to continue, even if the abbreviation CRL doesn’t tell you a thing. After the CRL introduction, which should not be considered a full presentation of the subject, we’ll tackle the CRL caching itself. Be aware I’m only dealing with the X.509 certificate standard here, which is the normal and most common certificate standard abroad. Read the rest of this entry »