# Localized 09/15/2018 04:58 AM (GMT) 303:6.40.10614 CertificateServices.psd1 # # Only add new (name,value) pairs to the end of this table # Do not remove, insert or re-arrange entries # ConvertFrom-StringData @' ###PSLOC start localizing # # PreCheck # PreCheck_Title=Active Directory Certificate Services must be running to complete the Best Practice scan PreCheck_Problem=Active Directory Certificate Services must be running to complete the Best Practice scan. PreCheck_Impact=The Active Directory Certificate Services Best Practice scan cannot be completed because Active Directory Certificate Services is not running. PreCheck_Resolution=Use Server Manager to start Active Directory Certificate Services. # # NoneApplicable # NoneApplicable_Title=There are no applicable best practices for the AD CS role services installed on this computer NoneApplicable_Compliant=The Active Directory Certificate Services (AD CS) Best Practices Analyzer does not have any applicable best practices for the AD CS role services that are installed on this computer. # # UserAEPolicySetCheck # UserAEPolicySetCheck_Title=User autoenrollment group policy is not enabled UserAEPolicySetCheck_Problem=This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled. UserAEPolicySetCheck_Impact=An enterprise CA can use autoenrollment to simplify certificate issuance and renewal.  If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected. UserAEPolicySetCheck_Resolution=If user autoenrollment is desired, use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate templates. UserAEPolicySetCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # MachineAEPolicySetCheck # MachineAEPolicySetCheck_Title=Computer autoenrollment group policy is not enabled MachineAEPolicySetCheck_Problem=This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for computer autoenrollment have not been enabled. MachineAEPolicySetCheck_Impact=An enterprise CA can use autoenrollment to simplify certificate issuance and renewal.  If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected. MachineAEPolicySetCheck_Resolution=If computer autoenrollment is desired, use the Group Policy Management Console to configure computer autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate templates. MachineAEPolicySetCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # CRLPeriodInSecondsCheck # CRLPeriodInSecondsCheck_Title=The CRL publication interval for a stand-alone root CA should be at least 30 days CRLPeriodInSecondsCheck_Problem=To enhance security, a root certification authority (CA) should remain offline except when needed to issue or renew a certificate. When a root CA is offline, certificate revocation list (CRL) publication intervals should be extended beyond the default seven-day period. CRLPeriodInSecondsCheck_Impact=An offline or stand-alone CA may not be able to automatically publish updated CRLs.  If updated CRLs are not published to their CRL distribution points, revocation checks on certificates issued by the CA may  fail. CRLPeriodInSecondsCheck_Resolution=Use the Certification Authority snap-in to set the CRL publication interval to 30 days or longer. CRLPeriodInSecondsCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # PolicyModuleCheck # PolicyModuleCheck_Title=When user-defined subject alternate names are permitted, set all certificate requests to pending PolicyModuleCheck_Problem=The policy module for a certification authority (CA) is configured to allow the user to define the subject alternative name  to be included within a certificate. However, it is not configured to set certificate requests to pending, which requires a certificate manager to review and approve each request. PolicyModuleCheck_Impact=When users can define the subject alternate name to be included within a certificate, they can specify an identity other than their own. Unless you require a certificate manager to review and approve each request, there is an increased risk of identity spoofing. PolicyModuleCheck_Resolution=Configure the policy module for the CA to set all certificate requests to pending and require a certificate manager to review and approve each request before a certificate is issued. PolicyModuleCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # CRLURLsCheck # CRLURLsCheck_Title=CRL distribution point locations should be included in the extensions of issued certificates CRLURLsCheck_Problem=This certification authority (CA) is not configured to include certificate revocation list (CRL) distribution point locations in the extensions of issued certificates. The CRL distribution point extension provides the network location of the CRL. CRLURLsCheck_Impact=Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail. CRLURLsCheck_Resolution=Use the Certification Authority snap-in to configure the CRL distribution point extension and specify the network location of the CRL. CRLURLsCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # AIAURLsCheck # AIAURLsCheck_Title=Authority information access locations should be included in the extensions of issued certificates AIAURLsCheck_Problem=This certification authority (CA) is not configured to include authority information access locations in the extensions of issued certificates. The authority information access extension provides the network location of the issuing CA's certificate. AIAURLsCheck_Impact=Clients may not be able to locate the issuing CA's certificate to build a certificate chain, and certificate validation may fail. AIAURLsCheck_Resolution=Use the Certification Authority snap-in to configure the authority information access extension and specify the network location of the issuing CA's certificate. AIAURLsCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # CRLKeySuffixCheck # CRLKeySuffixCheck_Title=CRL distribution point locations should include the CRL name suffix CRLKeySuffixCheck_Problem=The location of the certificate revocation list (CRL) specified in the CRL distribution point extension is not configured to include the CRL name suffix. CRLKeySuffixCheck_Impact=Clients may not be able to locate the correct version of the CRL to check the revocation status of a certificate, and certificate validation may fail. CRLKeySuffixCheck_Resolution=Use the Certification Authority snap-in to configure the CRL distribution point extension to include the CRL name suffix in each location. CRLKeySuffixCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # AIAKeySuffixCheck # AIAKeySuffixCheck_Title=Authority information access locations should include the certificate name suffix AIAKeySuffixCheck_Problem=The location of the certification authority (CA) certificate specified in the authority information access extension is not configured to include the certificate name suffix. AIAKeySuffixCheck_Impact=Clients may not be able to to locate the correct version of the issuing CA's certificate to build a certificate chain, and certificate validation may fail. AIAKeySuffixCheck_Resolution=Use the Certification Authority snap-in to configure the authority information access extension to include the certificate name suffix in each location. AIAKeySuffixCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # CRLLocalWebURLsCheck # CRLLocalWebURLsCheck_Title=Web Server (IIS) role should be installed if CRL distribution point extension URIs refer to the local Web server CRLLocalWebURLsCheck_Problem=The certificate revocation list (CRL) distribution point extension on this certification authority (CA) refers to the local Web server. However, the Web Server (IIS) role is not installed. CRLLocalWebURLsCheck_Impact=Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail. CRLLocalWebURLsCheck_Resolution=Use Server Manager to add the Web Server (IIS) role and add virtual directories to match the HTTP URI included in the CRL distribution point extension. Otherwise, remove the HTTP URI from the extension by using the Certification Authority snap-in. CRLLocalWebURLsCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # AIALocalWebURLsCheck # AIALocalWebURLsCheck_Title=Web Server (IIS) role should be installed if authority information access extension URIs refer to the local Web server AIALocalWebURLsCheck_Problem=The authority information access extension on this certification authority (CA) refers to the local Web server. However, the Web Server (IIS) role is not installed. AIALocalWebURLsCheck_Impact=Clients may not be able to locate the issuing CA's certificate, and certificate validation may fail. AIALocalWebURLsCheck_Resolution=Use Server Manager to add the Web Server (IIS) role and add virtual directories to match the HTTP URI included in the authority information access extension. Otherwise, remove the HTTP URI from the extension by using the Certification Authority snap-in. AIALocalWebURLsCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # DeltaCRLRemoteWebURLsCheck # DeltaCRLRemoteWebURLsCheck_Title=Web server should allow URIs containing a plus sign (+) to enable publishing of delta CRLs DeltaCRLRemoteWebURLsCheck_Problem=The certificate revocation list (CRL) distribution point extension on this certification authority (CA) includes URIs for a remote Web server. If the Web server is Internet Information Services (IIS) 7.0 with the default configuration, then delta CRL URIs that contain a plus sign (+) will be blocked. DeltaCRLRemoteWebURLsCheck_Impact=Clients may not be able to locate a CRL to check the revocation status of a certificate, and certificate validation may fail. DeltaCRLRemoteWebURLsCheck_Resolution=If the Web server that hosts the delta CRL is running IIS 7.0, then ensure that the "Allow double escaping" check box is selected in the IIS Request Filtering settings. DeltaCRLRemoteWebURLsCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. # # DBFilesOnSystemDriveCheck # DBFilesOnSystemDriveCheck_Title=CA database and log files should not be stored on the system drive DBFilesOnSystemDriveCheck_Problem=This certification authority (CA) is configured to store the certificate database or log files on the system drive. DBFilesOnSystemDriveCheck_Impact=Database and log files can become very large and can possibly consume all available disk space. If these files are located on the system drive, then this can cause the operating system to fail. DBFilesOnSystemDriveCheck_Resolution=Move the certificate database and log files to a non-system drive, and update the CA configuration to indicate the new location. DBFilesOnSystemDriveCheck_Compliant=The Active Directory Certificate Services Best Practice Analyzer scan has determined that you are in compliance with this best practice. '@