The PKI Guy Blog

PKI Solutions Inc. The PKI Guy Blog

PKI The PKI CryptoGram

PKI Solutions logo contest!

We’re pleased to announce that we’re unveiling our new company logo on our website today. The PKIGuy and the rest of the team here are excited to welcome you to our first-ever PKI Solutions logo contest!

Since cryptography is the art of writing and solving codes, we decided to have some fun with the roll-out of our new logo and get you guys involved. We want to invite you to participate in our contest to see how many cryptography clues and graphic elements that you can find in our logo.

How it works:
Visit our website and click the link here to enter the contest. The contest begins on Friday, February 23 at 6:00 a.m. PST and ends on 12 a.m.. PST Saturday March 3.

Who wins:
The top three people who find the most clues and design elements that relate to cryptography will each win our contest.

What you win:
Each of the top three winners will win the thrill of victory … AND each winner will receive one (1) of three (3) $31 Starbucks eGift cards.

Good luck cracking the code!

Enter The Contest

Read More
  • February 23, 2018

Backups Database Hardware Security Modules Hotfixes Maintenance Offline CA PKI

Backing up ADCS Certificate Authorities (Part 2 of 2)

In my last blog post (Backing up ADCS Certificate Authorities Part 1) I covered the inner workings of how ADCS and the Jet database works to maintain the CA data. In this post I am going to go over a comprehensive PowerShell script that I wrote to perform a full backup of all necessary ADCS components. In addition, this backup will ensure the CA performs the necessary log maintenance and truncation that I indicated was vital in Part 1. (more…)

Read More
  • January 11, 2018

Backups Database Hardware Security Modules Hotfixes Maintenance Offline CA PKI

Backing up ADCS Certificate Authorities (Part 1 of 2)

One of the areas I have spoken about extensively at conferences and cover in my training classes is the unique issues associated with backing up and managing your ADCS Certificate Authority. There are several items I would like to address in this two-part series:

  • CA Database and log file structure
  • Unique issues with VM Snapshots with ADCS
  • CA Private Key backups (and when they aren’t happening)
  • Using PowerShell to Backup


Read More
  • December 14, 2017


2018 Training Class Schedule

It’s here, the 2018 PKI Training schedule is now live and accepting registrations. There are three In-Depth classes and three Advanced PKI classes split between the US and Europe. Be sure to check out the schedule and register early as classes usually sell-out in advance.

PKI In-Depth Class

  • Portland, Oregon: March 26-30, 2018
  • Washington DC: May 21-25, 2018
  • London, England: June 11-15, 2018

PKI Advanced Class

  • Portland, Oregon: July 16-20, 2018
  • Washington DC: August 13-17, 2018
  • London, England: September 10-14, 2018

As always, contact me if you have any questions. Registrations are available on the website here.

Read More
  • October 25, 2017


Book Recommendation – Hacking the Hacker (Roger Grimes)

Book Recommendation

A good friend of mine I met while at Microsoft just had one of his books released. Roger is a Security Columnist for InfoWorld and is a pretty dang sharp guy. His new book, Hacking the Hacker has some good information in many different areas confronting modern cybersecurity specialists. Of particular interest to anyone reading this blog is his inclusion of information around cryptography, hashes and profiles Mark Hellman, of Diffie Hellman fame. If you are looking at expanding your tool set and knowledge, this is a great book to do that. (more…)

Read More
  • June 5, 2017

Training Classes

PKI Solutions Announces Training Scholarships for PDX Cyber Camp 2017

I am pleased to announce that in partnership with the PDX Cyber Camp, PKI Solutions has created a scholarship for 3 young students attending the PDX Cyber Camp to attend one of my PKI In-Depth training classes this year. This will be a great way to offer these students an exposure to PKI and all of it’s uses. The students will build off of their knowledged learned in the camp and get a chance to network with cybersecurity professionals from around the world.

The original Press Release is available on PRWeb here.


Read More
  • May 3, 2017

Certificate Templates Documentation Hall of Shame PKI

Help a SME Out – Don’t Guess at Template Settings

One of the areas we spend time on in the PKI In-Depth class is learning about Certificate Templates. There are a lot of tabs in the template manager and a lot of specific settings on those tabs. I can certainly understand the desire to click those pretty checkboxes, toggle radio buttons and get lost in the beauty of a Win32-based GUI form. But this can lead to many issues down the road. We literally spend almost half a day in class going over each and everyone of these options and settings in the template.

But my focus today is on the prevalence of bad tech articles that include bad or worse, incorrect information on using certificate templates. Today’s example is a lovely article from VMWare on creating a template for use with vSphere 6.0 here.


Read More
  • May 2, 2017

Certificate Validation Certutil Documentation Hall of Shame Internet Explorer Offline CA PKI Revocation Watch Out

Ignore Revocation Checking – The bane of my existence!

As students in my PKI training classes know, one of the areas I am a vocal about is the blind use of the CRLF_REVCHECK_IGNORE_OFFLINE setting in a PKI environment. I am so adamantly against the use of this setting, I personally refuse to ever explicitly share or type the syntax to enable this nasty beast. Unfortunately this setting pops up in vendor documentation, software deployment guides and other “authoritative” sources that place customers at risk. It is a classic example of where companies have written software or guides based on what they did in their test environments and unknowingly expose their customers to a big risk.


Read More
  • April 20, 2017

Certificate Validation Internet Explorer PKI Revocation RFCs Watch Out

What Your Browser Doesn’t Tell You Can Hurt You – Revocation and Internet Explorer

One of the topics I have been using as an example of revocation checking behavior in my PKI In-Depth class is the interesting case of Internet Explorer (IE) and its revocation behavior. Let’s take a moment and have you think about your assumption of how IE is behaving when you go to a HTTPS (SSL/TLS) website. The general assumption is that the TLS certificate is downloaded from the web server, the URL entered is compared to the Subject/Subject Alternate Name extensions to ensure we arrived at the right site and haven’t been redirected. The browser should go on and validate additional information like validity period, key usage, and of course assembling the chain of certificates to ensure it comes from a trusted CA. It will of course check the revocation of that certificate, and any certificates in the chain above it. But what do you expect will occur if revocation checking fails? Such as being able to reach the revocation site, finding an expired CRL, a tampered CRL or an inactive OCSP Responder?


Read More
  • February 11, 2017

Certificate Templates Certificate Validation Hash Algorithms Known Issues PKI

RSASSA-PSS – Why Your Certificate Can’t Be Validated

A common theme has been arriving in my email box lately as well as many online forums. Consistently people are reporting error with certificates issued by their internal Microsoft ADCS based CAs. Problems range from Apple devices, Firefox, appliances and many other systems. When people examine their certificates they see that their certificates are SHA based, including many or all of their CAs in the hierarchy. So what is causing the problem? (more…)

Read More
  • February 1, 2017

  © Copyright 2013-2018 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies