Assume the following scenario:
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA). Denied by Policy Module.Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““
At the latest when the End of product support by the manufacturer (Microsoft) approaches, the question arises as to how and to which operating system a certification authority should be migrated.
Continue reading „Windows Server Migrations-Matrix für die Zertifizierungsstelle“Often a certification authority lives significantly longer than the server on which it was installed. Reasons for migrating the certification authority to a new server, i.e. while retaining the data, can be:
The procedure for migration is described in detail below.
Continue reading „Migration einer Active Directory integrierten Zertifizierungsstelle (Enterprise Certification Authority) auf einen anderen Server“Each Windows Server operating system has a defined end date after which there is no longer any product support from the manufacturer. Certification authorities are also bound to this date, and should therefore be migrated before this date expires.
Continue reading „Ende der Produkt-Unterstützung durch den Hersteller (Microsoft)“Delegation is required whenever there is an intermediary between the user and the actual service. In the case of certification authority web registration, this would be the case if it is installed on a separate server. It then acts as an intermediary between the applicant and the certification authority.
Continue reading „Grundlagen und Risikobetrachtung Delegierungseinstellungen“After installing a Certificate Enrollment Policy Web Service (CEP), or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components are working as desired.
Continue reading „Funktionstest durchführen für den Certificate Enrollment Policy Web Service (CEP)“Assume the following scenario:
Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)““
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Continue reading „Konfiguration der Überwachung von Sicherheitsereignissen (Auditierungseinstellungen) für Zertifizierungsstellen“Once a group policy with audit settings is active, the default auditing rules preconfigured with the operating system are turned off and only the explicitly configured audit settings are applied.
Continue reading „Standard-Auditierungsregeln für Windows Server Betriebssysteme“For a function test or during troubleshooting, it can be useful to check whether the private key of a certificate is usable. If the key is secured with a hardware security module (HSM), for example, there are significantly more dependencies and possibilities for errors than with a software key.
Continue reading „Überprüfen der Verbindung zum privaten Schlüssel eines Zertifikate (z.B. bei Einsatz eines Hardware Security Moduls)“After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.
Continue reading „Funktionstest durchführen für eine Zertifizierungsstelle“Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.
In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.
Continue reading „Veröffentlichen einer Zertifikatsperrliste (CRL) auf einem Active Directory Sperrlistenverteilungspunkt (CDP)“Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.
After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.
Continue reading „Erstellen und Veröffentlichen einer Zertifikatsperrliste“Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.
When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.
Continue reading „Widerrufen eines ausgestellten Zertifikats“Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact the CES components.
Continue reading „Benötigte Windows-Sicherheitsberechtigungen für den Zertifikatregistrierungs-Webdienst (CES)“
English 
Deutsch