November 2021 - Uwe Gradenegger

What happens if a user has requested multiple certificates?

I recently encountered the phenomenon that due to a faulty request logic, several users had made new certificate requests at regular intervals.

The certificate template was configured to have incoming certificate requests released by a certificate manager, i.e. the certificates were not issued automatically. The certificate requests were to be checked by a separate code and then released.

One would now expect that (since all certificate requests would eventually be approved) users would now find multiple certificates of the same type in their certificate store (and the applications that use it). However, this was not the case.

It is not possible to create a certificate template. Error message "The following template name has already been used".

Assume the following scenario:

A new certificate template is to be created.
The creation fails with the following error message:

The following template name has already been used: ADCSLaboratoryUserTest. Enter a unique template name.

Operating the Certification Authority without exit module

If a certification authority is installed, the "Windows Default" exit module is automatically activated. This enables e-mail messages to be sent when certain events occur at the certification authority. However, most companies do not use this feature at all.

But even if the exit module is not used at all, it causes sessions on the certification authority database (see Event no. 46). On Certification Authorities with high load this can be problematic.

If the functions it offers are not used at all (under Windows Server Core the "Windows Default" exit module basically does not work), it can also be disabled completely.

Cause research: Snipping Tool and other components in Windows 11 no longer usable due to expired certificate

Today went through many Mediathat some apps and components in the recently released Windows 11 no longer work since 01.11.2021 and that the cause for this is a certificate that expired on 31.10.2021. In the meantime Microsoft has pointed out in a blogpost and also a patch for some affected components published.

Unfortunately, none of the available sources provided detailed information about what exactly the problem was. So let's get to the bottom of it ourselves.

The database schema of the Certification Authority database

Would you like to Queries against the Certification Authority database formulate, you must first know what you want to look for.

There is a possibility to output the database schema of the certification authority database.

Limits of Microsoft Active Directory Certificate Services

Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.

People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.

What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.

New blog on Active Directory Certificate Services with a focus on security

I'm happy to announce that my much appreciated former colleague Dagmar Heidecker is blogging again.

In her new role at the Microsoft Compromise Recovery Security Practice Dagmar's thematic focus is especially (but not only) on security topics around Active Directory Certificate Services and related components.

Her blog can be found at the Core Infrastructure and Security Blog.