dash.

training

Links from my ‘PKI Fundamentals’ training, available for delivery as corporate training or for individuals at authorized Microsoft Learning partners.

Please report broken links.

Introduction to Cryptography

• Cryptanalysis on Wikipedia

Algorithms

• Sunsetting SHA-1 (kind of an old already in 2024)
• SHA-256 Compatibility — SHA-256 Compatibility
• Disk encryption theory - Wikipedia
• Good example of ECB (Electronic Codebook) encryption, more on it here The ECB Penguin
• Tweakable Block Ciphers
• Bitlocker: AES-XTS (new encryption type)
• You Don’t Want XTS

OIDs

• Show an OID at IANA then type 53698

• [IANA

  Request Private Enterprise Numbers](http://pen.iana.org/pen/PenApplication.page)

• OIDs for Microsoft Cryptography

ASN.1

• [ASN.1 Editor

  PKI Solutions](https://www.pkisolutions.com/tools/asn1editor/)

Getting Started with CAs

External CAs

• SSL certificates at Comodo

• [Microsoft Trusted Root Certificate Program Audit Requirements

  Microsoft Learn — Microsoft Trusted Root Certificate Program](https://social.technet.microsoft.com/wiki/contents/articles/31635.microsoft-trusted-root-certificate-program-audit-requirements.aspx)

• Example of terminated trust
• Example of terminated trust

Active Directory Certificate Services

• Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429)
• Commands for AD CS setup on Windows Server Core
• Lab Guide: Installing a Two-Tier AD CS
• Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy
• AD CS common issues
• KB5005413: Mitigating NTLM Relay Attacks on AD CS
• What is a strong key protection in Windows? - Sysadmins LV — Much more about this:
• Activating the Strong Private Key Protection
• Force strong key protection for user keys stored on the computer
• Windows FIPS 140 validation FIPS compliant algorithms for encryption, hashing, and signing Federal Information Processing Standard (FIPS) 140-2 is a security implementation that is designed for certifying cryptographic software. This setting has a lot of impact, not all of it good.
• AD CS Security Guidance
• Install and Configure Certificate Enrolment Policy Web Service
• TameMyCerts policy module for Microsoft Active Directory Certificate Services
• Sleepw4lker/TameMyCerts: Policy Module for Microsoft Active Directory Certificate Services on GitHub
• GhostPack/PSPKIAudit: PowerShell toolkit for AD CS auditing based on the PSPKI toolkit. — PSPKIAudit on GitHub
• certutil — PKI Health Tool, Certutil

PowerShell automation

• [PSPKI

  PKI Solutions — PSPKI](https://www.pkisolutions.com/tools/pspki/)

• Approve-CertificateRequest with PSPKI
• Backup-CARoleService

HSMs

• Certification Authority Guidance Planning Key Storage, Hardware Security Module (HSM)
• Azure Cloud HSM Onboarding Guide
• Azure Cloud HSM Integration Guide
• Key storage provider (KSP) for AWS CloudHSM Client SDK 5 - AWS CloudHSM — AWS CloudHSM
• SoftHSM v2 for Windows

Online Responders

• Manually verify a certificate against an OCSP with OpenSSL

NDES

• Linuz Certificate Enrollment and Automated Renewal Using NDES

OpenSSL

• Download and install OpenSSL Light with winget

Practical Applications

Web Servers

• Nartac Software IIS Crypto for setting cipher suites on IIS
• SSL Server Test test which cipher suite is being used(Powered by Qualys SSL Labs)
• Hardenize comprehensive web site configuration test
• CAA Records devined by DNS Simple
• CAA Records Certificate Authority Authentication defined by Let’s Encrypt
• CAA Record Generator Construct a CAA record
• DNS Propagation Checker Global DNS Testing Tool — Check proppegation of your DNS records to troubleshoot CAA visibility
• HSTS Preload List Submission
• Certificate and Public Key Pinning
• Red Sift Proactive certificate expiry notification

Smart Cards

• Drivers for the Gemalto cards
• Setting up Certificate Templates to Enroll on behalf of other Users

• [Enabling smart card logon - Windows Server

  Microsoft Learn — Logon with certs from 3rd-party Cas](https://support.microsoft.com/en-us/help/281245/guidelines-for-enabling-smart-card-logon-with-third-party-certificatio)

• Virtual Smart Cards
• Get Started with Virtual Smart Cards - Walkthrough Guide

PowerShell Remoting

• Enable secure Windows/Powershell Remoting over https

Disk encryption

• How to Make BitLocker Use 256-bit AES Encryption Instead of 128-bit AES

Code signing

• [SignTool - Win32 apps

  Microsoft Learn — Sign Tool documentation here:](https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool)

• SSL certificates inside Java apps
• Java Code Signer

DNS SEC

• DNSViz visualization for “lab.graydaycafe.com”
• DNSSEC Debugger

Timestamps

• Time Stamp Server & Stamping Protocols
• Free Time Stamp Authority

Other applications

• What is Strict KDC Validation? by Ammar Hasayen
• Enabling Strict KDC Validation in Windows Kerberos
• Authenticate with X.509 certificates — Azure IoT
• Device Guard
• Encrypted SQL Server Connections
• Using Certificates in Azure SQL Database

Further reading

• Trustless transaction verification (watch on YouTube)
• Post-quantum Cryptography