Microsoft Press Windows Server 2008 PKI Book Errata

Small2008Book

The unofficial errata list

Welcome to the unofficial errata list for the "2008 PKI book." The intent of this page is to provide corrections and clarifications to the published text. We will focus on the necessary corrections for Windows Server 2008, though many of the concepts are applicable to newer operating systems. However, this page is not intended to update the material or add additional subject matter for new features, industry practices or OS differences.

If you have additional suggestions, corrections or other errata to add, please contact us.

Change Log – Last Updated July 13, 2018

PageSectionCorrection
102[AuthorityInformationAccess]Remove ";URL = file://\\%1\Public\My CA.crt". Windows Vista and newer removed support for SMB based retrieval of AIA certificates.
102[CRLDistributionPoint]Remove ";URL = file://\\%1\Public\My CA.crl". Windows Vista and newer removed support for SMB based retrieval of CRLs. However, you may still use a SMB path to publish the CRL to remote host, such as a web server hosting the HTTP retrieval of CRLs by clients.
107N/ARemove "file://\\%1\CertEnroll\%1_%3%4.crt". Windows Vista and newer removed support for SMB based retrieval of AIA certificates. In addition, the CA can't be configured to publish its certificate to a custom location. Thus any syntax in the AIA section for SMB is invalid.
108[certsrv_server]Add note: "RenewalKeyLength, RenewalValidityPeriod, and RenewalValidtyPeriodUnits are not required to be present in the capolicy.inf. These values are only necessary if you desire to change the keysize or validity period during a renewal. Absent of these values, the CA will use the values currently defined in the CA certificate when it is renewed."
108NoteChange "You cannot set the initial CA key length and validity period in the CApolicy.inf file. The value at installation is configured in the installation wizard for a root CA and is defined by the parent CA for all subordinate CAs." to "You cannot set the initial CA key length and validity period in the CApolicy.inf. The key length and validity period values are configured in the installation wizard for a root CA. For all subordinate CAs, the key length is set in the installation wizard and the validity period is set on the parent CA."
109DiscreteSignatureAlgorithmChange all reference referring to "DiscreteSignatureAlgorithm". This parameter was only used during the beta of Windows Server. The correct parameter is "AlternateSignatureAlgorithm".
115Table 6-2 CRL Publication OptionsSecond row, change "Include in all issued certificates" to "Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually". Change the value from "2" to "8".
115Table 6-2 CRL Publication OptionsFourth row, change "Include in the CDP extension of CRLs" to "Include in the CDP extension of issued certificates", change value "8" to "2".
115Table 6-2 CRL Publication OptionsFifth row, change "Publish delta CRLs to this location. Specifies where to publish in AD DS when publishing to LDAP URLs" to "Publish Delta CRLs to this location"
116Table 6-3 AIA Publication OptionsAfter the table, add the following text "The ServerPublish (value 1) while referenced and used by Microsoft can't be used to specify an alternate publishing location or syntax for the AIA. The CA will only create a copy of its certificate in the %windir%\system32\certsrv\certenroll folder and Active Directory (if domain integrated). Specifying an alternate location to create the certificate will not be honored. If you need the certificate place somewhere else, such as a web-based AIA location, you must manually or via script copy the CA certificate to that location,"
116certutil -setreg CA\CRLPublicationURLsNote that beginning in this section and throughout the remainder of the book, the certutil commands show variable syntaxes "double-escaped". When running certutil commands directly in a command prompts, variables should be specified as %3%8%9 and so forth. When running the commands in a batch file, the syntax in the book is correct. Batch file processing necessitates escaping these variables with a %. As a result, the variable syntax in the batch file would look like %%3%%8%%9. Note and replace in all future references.
122DiscreteSignatureAlgorithm=1Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
125Cerutil -setreg CA\csp\DiscreteSignatureAlgorithmChange DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
126DiscreteSignatureAlgorithm=1Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
131Cerutil -setreg CA\csp\DiscreteSignatureAlgorithmChange DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
135DiscreteSignatureAlgorithm=1Change DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
140Cerutil -setreg CA\csp\DiscreteSignatureAlgorithmChange DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
160DiscreteSignatureAlgorithmChange DiscreteSignatureAlgorithm to AlternateSignatureAlgorithm
195Figure 9-3Note the check box "Use strong private key protection features provided by the CSP (this may require administrator interaction every time the private key is accessed by the CA)" should be shown as "Allow administrator interaction when the private key is accessed by the CA."
195NoteChange "you must use strong key protection features" to "you must enable the option 'Allow administrator interaction when the private is accessed by the CA'"