June 2020 - Uwe Gradenegger

Chrome and Safari limit SSL certificates to one year validity

Apple recently announced that the Safari browser will only accept certificates with a validity of 398 days in the future, provided they were issued from September 1, 2020.

Mozilla and Google want to implement comparable behavior in their browsers. So the question is whether this change will have an impact on internal certificate authorities - i.e. whether in future internal SSL certificates will also have to follow these rules, as is the case, for example, with the enforcement of the RFC 2818 by Google was the case.

Literature and other resources about public key infrastructures and Active Directory Certificate Services

The following is an overview of literature available on the market on the subject of public key infrastructures and Active Directory Certificate Services, as well as online resources from Microsoft and other PKI specialists.

Performance problems with auditing of "Start and stop Active Directory Certificate Services".

When configuring the auditing settings of a certificate authority, one is inclined to select the "Start and Stop Active Directory Certificate Services" option. However, this option may cause problems in some circumstances.

More than one common name (CN) in the certificate

Nowadays rather a curiosity than really relevant in practice, but it does happen from time to time that you receive certificate requests that contain more than one common name in the subject. Even though it may seem surprising, this is quite possible and also RFC compliant.

The SMTP Exit module does not work on Windows Server Core

Assume the following scenario:

A certificate authority is installed on Windows Server Core.
The SMTP file supplied with the certification authority is used. Exit module configured.
However, the Certification Authority does not send e-mails.
In the event log, the Event no. 46 logged with the following error message:

The "Windows default" Exit Module "Initialize" method returned an error. Class not registered The returned status code is 0x80040154 (-2147221164). The Certification Authority was unable to initialize email messaging objects.

Allow requesting a specific signature key on a certification authority

The Microsoft Certification Authority always signs certificates using the key associated with the most recent Certification Authority Certificate. The signing certificate for an OCSP response should be in accordance with RFC 6960 but signed by the same key as the certificate to be verified:

The CA SHOULD use the same issuing key to issue a delegation certificate as that used to sign the certificate being checked for revocation.
https://tools.ietf.org/html/rfc6960#section-4.2.2.2

However, if the certification authority certificate is renewed and a new key pair is used in the process, it is necessary for the online responder to continue to maintain valid signature certificates for the certificates issued with the previous certification authority certificate, since these are ultimately still valid and must be checked for revocation.

Certificate request fails with error message "The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

A certificate request is sent to a certification authority.
The certificate request fails with the following error message:

Error Parsing Request The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)