Microsoft PKI – My Master Links to Documentation

Here is a list of links to what I would consider the best of the documentation that I have yet to find. Finding this stuff is not without it’s issues. Microsoft has moved and archived most of it. Indeed, one of these pages was located on one site one day, and was missing the next day, as I was using it. It took a whole lot of searching to find it again.

These first two links are the “Master” pages; links galore including the others below:

Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide

https://social.technet.microsoft.com/wiki/contents/articles/7421.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-design-guide.aspx

Windows PKI Documentation Reference and Library

https://social.technet.microsoft.com/wiki/contents/articles/987.windows-pki-documentation-reference-and-library.aspx


Technology overviews:

PKI:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779826(v=ws.10)

Certificates:

https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700805(v=technet.10)?redirectedfrom=MSDN

Certification Authority Guidance

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)


Tier Deployment:

ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment

https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment

https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831348(v=ws.11)


Individual Tools and Topics:

certutil – command line Swiss Army Knife tool

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)?redirectedfrom=MSDN

Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview/ba-p/1128638

PowerShell ADCS Deployment

https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/?view=win10-ps

PowerShell ADCS Administration

https://docs.microsoft.com/en-us/powershell/module/adcsadministration/?view=win10-ps

CAPolicy.inf Syntax

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

Firewall Rules:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/firewall-rules-for-active-directory-certificate-services/ba-p/1128612

Disaster Recovery:

https://docs.microsoft.com/en-us/archive/blogs/pki/disaster-recovery-procedures-for-active-directory-certificate-services-adcs

Disaster Recovery Procedures for Active Directory Certificate Services (ADCS) | Microsoft Docs

Local Auditing Policy Setup:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739760(v=ws.10)?redirectedfrom=MSDN


Decommissioning/Replacing a CA:

Good short review of process:

https://serverfault.com/questions/276342/adding-new-root-enterprise-ca-without-disturbing-existing-one

How to decommission a Windows enterprise certification authority and remove all related objects

NOTE: This appears to contains info to wipe out the whole existing PKI.  Might want to go easy here.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

https://docs.microsoft.com/en-us/archive/blogs/pki/decommissioning-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-operations-to-a-new-one

Nice blog and hard to find (referenced in above article):

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/moving-your-organization-from-a-single-microsoft-ca-to-a/ba-p/398161