Basics: Replacing (Superseding) Certificate Templates

With the introduction of version 2 certificate templates along with Windows XP and Windows Server 2003, the option was introduced for a certificate template to replace one or more others.

This makes it possible to replace issued certificates with those of another certificate template, or to consolidate multiple certificate templates into a single one.

Continue reading „Grundlagen: Ersetzen (Superseding) von Zertifikatvorlagen“

Basics: Cryptographic Service Provider (CSP) and Key Storage Provider (KSP)

Since Windows NT 4.0, the Cryptographic Service Provider (CSP) has been part of the CryptoAPI.

The purpose is that an application does not have to worry about the concrete implementation of key management, but can leave this to generic operating system interfaces. It is also intended to prevent cryptographic keys from being loaded into memory in the security context of the user/application being used (a fatal security incident based precisely on this problem was the Heartbleed incident).

For example, it makes no technical difference to the certification authority software how its private key is protected - whether in software or with a hardware security module (HSM), for example. The call of the private key is always identical for the certification authority.

With Windows Vista and the introduction of Cryptography Next Generation (CNG) as a replacement for CryptoAPI, Key Storage Providers (KSP) were introduced.

Continue reading „Grundlagen: Cryptographic Service Provider (CSP) und Key Storage Provider (KSP)“

Remote desktop certificate request fails with error message "The permissions on the certificate template do not allow the current user to enroll for this type of certificate."

Assume the following scenario:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Continue reading „Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The permissions on the certificate template do not allow the current user to enroll for this type of certificate.““
en_USEnglish