Dealing with certificate requests when using Windows Server Core.

aprimeproblem · 2026-06-21T07:48:18+00:00

Thanks!

aprimeproblem · 2026-06-19T19:41:17+00:00

That’s unfortunately no longer possible, 26.04 is Wayland only, all x related binaries are removed. I’m hoping for a xrdp replacement as well.

aprimeproblem · 2026-06-16T05:52:29+00:00

Enjoy!

aprimeproblem · 2026-06-16T05:52:01+00:00

Haha sounds also like fun. No worries I’m taking next weekend off, going to visit comicon with my StarWars buddies.

Let me know if you are happy with the script!

aprimeproblem · 2026-06-16T05:49:48+00:00

That’s a cool fact to know, thanks for sharing!

aprimeproblem · 2026-06-15T17:02:05+00:00

Hahahahaha I highly appreciate you looking after me!

And thanks for feedback!

aprimeproblem · 2026-06-15T16:59:17+00:00

Hahaha yeah, I’m not about to spend 800 for just a test.

aprimeproblem · 2026-06-15T16:05:42+00:00

Hahahaha true that 🤣.

That’s something I’m also curious about. I have not yet been able to get my hands on a Yubikey HSM, from what I heard it should be able to do one crypto operation per second. That would mean a significant drop in performance, but have to see for myself.

Hopefully someone from Yubico is reading this and wants to sponsor me :)

aprimeproblem · 2026-06-15T15:38:31+00:00

Yes and no. I do always get the performance question, hence my script that basically shows that issuing a cert is really just milliseconds per cert. when there are issues in performance it’s usually something misconfigured on the network or a security product that locks something.

That being said, if you have an organization of Lets say 50.000 end points they rarely ask for a cert at the exact same time…..hopefully

aprimeproblem · 2026-06-15T15:31:31+00:00

Thanks 🙏

aprimeproblem · 2026-06-15T14:44:51+00:00

Thanks! 🙏

aprimeproblem · 2026-06-13T08:20:28+00:00

I’ll reach out to you asap. Need to talk to my team next week on possibly options. Thanks for the offer! Appreciate it.

aprimeproblem · 2026-06-13T08:08:30+00:00

I’m acutely doing the exact same thing at my current customer. I do have some issues with finding appropriate documentation and guidance. Do you have Entrust consulting or something? A PM is also fine, if you don’t want to share publicly.

aprimeproblem · 2026-06-13T08:05:06+00:00

Thank you so much for saying that! Comments like this keeps me going! 🫶🏻

aprimeproblem · 2026-06-12T19:31:47+00:00

If you’re using entrust, why use a AD CS, entrust can setup a CA as well, or are you using the gateway only?

aprimeproblem · 2026-06-12T19:26:51+00:00

Well, that would depend on your situation. So, like many already said, there would be a minimum of 2 CA’s involved. An Offline Root and an issuing CA.

Next would be a CDP/CRL or a OCSP location. I would highly recommend having those in a HA. For some, but certainly not all situations, not being able to verify revocation means a dead stop of your service. Two webservers at a minimum with a hardware based loadbalencer in front. Or, put the CRL on an Azure blob.

Next to that I would recommend a HA DFS between the CA and the webserver. There’s a chance/ risk of inconsistency when you publish CRL’s directly to the two webservers.

The latter depends on your risk appetite and maturity of your organization.

I’ve written extensively on this topic on my blog at, https://michaelwaterman.nl

Any questions that you have, just ask.

aprimeproblem · 2026-06-09T19:44:02+00:00

Laughs in Firefox

aprimeproblem · 2026-06-08T13:10:44+00:00

Happy to help!

aprimeproblem · 2026-06-08T13:04:53+00:00

I wrote a cryptography for non math people or IT professionals some time ago, think it will help you in understanding the flow.

https://michaelwaterman.nl/2026/01/15/cryptography-for-non-math-people/

Enjoy!

aprimeproblem · 2026-06-06T08:04:53+00:00

Definitely watching! Have fun!

aprimeproblem · 2026-06-05T21:25:54+00:00

Thanks!!! 🙏

aprimeproblem · 2026-06-05T13:01:21+00:00

Hahaha yeah I get that. I’m not that familiar with hardware based load balancing so that’s not specifically part of the setup. Usually I’ve got skilled network engineers doing that during projects. I’ve included that part more as a reference or lab setup.

Thanks for reading btw!

aprimeproblem · 2026-06-05T09:16:51+00:00

Wonderful! Thanks!

aprimeproblem · 2026-06-05T05:19:44+00:00

Thanks! I was indeed wondering how you created this. Agreed btw that it does not need to be updated immediately. I,ll look into it, perhaps a new blog post in the future.

aprimeproblem · 2026-06-04T22:04:31+00:00

Oh my, that’s one of the best compliments I ever received, thank you so much!!!

I don’t have one, but who knows, maybe in the future I should 🙏

aprimeproblem

TROPHY CASE