Myths #2: PKI edition.

Take notice: My new feed address is now Please re-subscribe. BTW, did you know what do certificate template options like “Allow private key to be exported” or “Prompt the user during enrollment and require user input when the private key is used” really do? Do they make you more secure or not? Certainly, some people who read my blog do know the answer, others have already guessed the answer: no. They don’t enforce any behavior on a client: it just communicate the requested by CA features. A good example of it was windows 2003: while you weren’t able export … Continue reading Myths #2: PKI edition.

Creating self-signed certificate for code-signing

Just in case you cannot google it or you don’t like solutions longer then two strings of command line… Sometimes you need to assure yourself that scripts or code you are about to run are the same as you’ve created them. One of the ways to achieve it is to put a flash drive with them into a safe. Another – get them signed. The second option seems to be a more convenient mean, but it requires a code-signing certificate. Buying one is quite an expense: I have failed to find any cheaper then $99 per two years. Well, it … Continue reading Creating self-signed certificate for code-signing


I’ve received a question through the Russian TechNet Forums, answer to which is to be widespread. The fact is that the CRL checking process has been change in IE7 in case CRL is not reachable. While IE6 shows the warning in that case, IE7 by default doesn’t show anything. It is easy to think up the situation (which is, fortunately, harder to implement) which will lead to some problems due to such a behavior of the browser. It is quite easy to switch the thinks back, just add the following key to the registry: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_WARN_ON_SEC_CERT_REV_FAILED] "iexplore.exe"=dword:00000001» After that we … Continue reading IE7 & SSL