Featured

YubiKey Personal Identity Verification (PIV) Attestation - with the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (ADCS)

Since the recently released version 1.7, the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services Personal Identity Verification (PIV) attestation for YubiKeys.

A YubiKey is a compact security token that can be used like a smartcard for the secure storage and use of certificates and can therefore also be used for passwordless logon to Active Directory environments.

This cool function was developed by Oscar Virot and integrated into TameMyCerts. This makes it possible to provide cryptographic proof when issuing certificates and thus ensure that a key pair is actually generated with a YubiKey and secured by it and cannot be exported.

This can be particularly helpful in complying with the NIS2 directive if companies decide to use certificates as a second factor for logging in with security-critical accounts in the Active Directory.

Continue reading „YubiKey Personal Identity Verification (PIV) Attestation – mit dem TameMyCerts Policy Modul für Microsoft Active Directory Certificate Services (ADCS)“

Automatically add the Security Identifier (SID) certificate extension to certificates requested via Mobile Device Management (MDM) - with the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (ADCS)

After several postponements, Microsoft finally decided that the Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754) should now finally come into force.

Domain controllers will therefore automatically switch to full enforcement mode on February 25, 2025, unless configured otherwise. As of September 2025, it has been announced that deviating settings will no longer apply and there will therefore no longer be an alternative to full enforcement.

The consequence of this is that logins via PKInit can only be used for a login if they have the new Security Identifier (SID) certificate extension introduced with the patch.

What at first sounds as if this is not a major problem may well become one when you consider that fewer and fewer certificate-based use cases are using classic autoenrollment these days.

How the TameMyCerts Policy Module for the Active Directory Certificate Services can help with this problem is explained in more detail in the following article.

Continue reading „Die Security Identifier (SID) Zertifikaterweiterung in per Mobile Device Management (MDM) beantragte Zertifikate automatisch eintragen – mit dem TameMyCerts Policy Modul für die Microsoft Active Directory Certificate Services (ADCS)“

Extending or shortening the validity period of root certification authority certificates

With existing public key infrastructures, you may find that the validity of the root certification authority certificate has not proven itself. For example, it could be that it was chosen too short (the default setting of the Microsoft ADCS is only five years), or even too long, which may not be optimal from a security perspective.

If you renew the certification authority certificate, you may want to achieve a different validity period.

Continue reading „Verlängern oder verkürzen des Gültigkeitszeitraums von Stammzertifizierungsstellen-Zertifikaten“

Prevent unprivileged accounts from reading the configuration of the certification authority

During penetration tests and also for attackers searching the network for potential targets, insights into the configuration of the certification authority are highly interesting.

In addition to possible misconfigurations, attackers can obtain information about the policy module used on the certification authority.

Continue reading „Auslesen der Konfiguration der Zertifizierungsstelle durch unprivilegierte Konten unterbinden“

Revocation lists are not recognized as valid (only) on Windows (CRYPT_E_REVOCATION_OFFLINE)

Someone recently approached me with an interesting problem.

A certification authority has been installed. Linux is used as the basis, i.e. (presumably) OpenSSL. The revocation lists work on Linux clients, but are not accepted by Windows systems. The following error message always appears when checking the revocation lists.

0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) -- 2148081683 (-2146885613)
Text der Fehlermeldung: Die Sperrfunktion konnte die Sperrung nicht überprüfen, da der Sperrserver offline war.

The error message reads as follows:

0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) -- 2148081683 (-2146885613)
The revocation function was unable to check revocation because the revocation server was offline.
Continue reading „Sperrlisten werden (nur) auf Windows nicht als gültig erkannt (CRYPT_E_REVOCATION_OFFLINE)“

Smartcard login fails with error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

Assume the following scenario:

  • The company would like to use smartcard logon.
  • The domain controllers are with certificates that can be used for smartcard logon equipped.
  • The users are equipped with certificates that can be used for smartcard logon.
  • The login to the domain via smartcard fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Smartcard-Anmeldung schlägt fehl mit Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““

How many Subject Alternative Names (SAN) do the Active Directory Certificate Services support?

Like any software Microsoft Active Directory Certificate Services are also subject to certain limitsimposed by their design.

What is not so obvious is the question of how many Subject Alternative Name (SAN) can be issued with the Microsoft certification authority.

The IETF RFC 5280 describes the structure for Subject Alternative Names as follows:

SubjectAltName ::= GeneralNames
Continue reading „Wie viele Alternative Antragstellernamen (engl. Subject Alternative Name, SAN) unterstützen die Active Directory Certificate Services?“

How securing printers can turn into a security disaster - and how the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can prevent it

Nowadays, it is essential to protect the authentication of devices on the company network and administrative interfaces. As a rule, digital certificates are used for this purpose.

Printers therefore also generally require digital certificates in order to be operated securely. From a certain number of devices, there is no getting around automatic certificate distribution.

Some printer manufacturers offer centralized management solutions for certificate distribution.

Unfortunately, it has been shown time and again that the secure handling of digital certificates requires a great deal of knowledge, experience and care, which is often not the case.

Continue reading „Wie das Absichern von Druckern zum Security-Desaster werden kann – und wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) dieses verhindern kann“

New ESC15 vulnerability discovered in Active Directory Certificate Services - easy-to-implement countermeasures

The purposes for which a digital certificate may be used are controlled via the "Key Usage" and "Extended Key Usage" certificate extensions. In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Justin Bollinger from TrustedSec has found outthat there are offline certificate requests against Schema version 1 certificate templates is possible (similar to the Security identifier extension), any Application Policies in the certificate request, which are transferred unchanged to the issued certificate and can then be used for an attack on the overall Active Directory structure. The attack was christened ESC15.

Continue reading „Neue Sicherheitslücke ESC15 in Active Directory Certificate Services entdeckt – einfach umzusetzende Gegenmaßnahmen“

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can repair incoming certificate requests to make them RFC compliant

Starting with version 58, Google has decided to remove support for the Subject Distinguished Name of web server certificates in the Chrome browser and instead only accept certificates with Subject Alternative Name.

Since this moment, web server certificates without a subject alternative name in the form of a dNSName from Google Chrome and others Chromium-based browsers (i.e. also Microsoft Edge) was rejected. Other browser manufacturers quickly adopted this approach, so that this problem now affects all popular browsers.

Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) eingehende Zertifikatanträge reparieren kann, um sie RFC-konform zu machen“

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can help establish digital signature processes in the company

Nowadays, many companies want to rely on paperless processes to speed up internal approval and signature processes. In times when most employees are working from home, this has become even more important.

Although the Microsoft certification authority is able to implement automatic certificate issuance processes, their ability to influence the content of the certificate is severely limited.

The TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (AD CS) allows the definition of extended Rules for the Subject Distinguished Name and also the Subject Alternative Name certificates issued.

Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) beim Etablieren digitaler Signaturprozesse im Unternehmen helfen kann“

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can help secure scenarios with Microsoft Intune and other Mobile Device Management (MDM) systems

Companies use Mobile Device Management (MDM) Products for managing, configuring and updating mobile devices such as smartphones, tablet computers or desktop systems via the Internet (over-the-air, OTA).

Common mobile device management products are:

Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) dabei helfen kann, Szenarien mit Microsoft Intune und anderen Mobile Device Management (MDM) Systemen abzusichern“

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can detect and prevent attacks against the ESC6 and ESC7 attack vectors

With the supposedly good intention of making it possible to issue such certificate requirements with a SAN, guess unfortunately much at many Instructions  to set the flag on the certification authority EDITF_ATTRIBUTESUBJECTALTNAME2 to activate.

If this flag is activated, a very large attack surface is offered, as any applicant can now instruct the certification authority to issue certificates with any content. This type of attack is known in the security scene as ESC6 and ESC7 known.

Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) Angriffe gegen die ESC6 und ESC7 Angriffsvektoren erkennen und verhindern kann“

How the TameMyCerts Policy Module for Active Directory Certificate Services (ADCS) can prevent attacks against the ESC1 attack vector

Attacks on Microsoft certification authorities can be aimed at exploiting authorizations on certificate templates. In many cases, certificate templates must be configured to grant the applicant the right to apply for any identities. This can lead to the attacker taking over the identities of Active Directory accounts and subsequently to the elevation of rights. Attacks of this type are known in the security scene as "ESC1" is labeled.

Continue reading „Wie das TameMyCerts Policy Modul für Active Directory Certificate Services (ADCS) Angriffe gegen den ESC1 Angriffsvektor verhindern kann“

Automatically enter DNS names in the Subject Alternate Name (SAN) of issued certificates - with the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (ADCS)

Google is a major player with the Chromium project and products based on it such as Google Chrome and Microsoft Edge have moved to implement the RFC 2818 and to no longer trust certificates that no longer fulfill this requirement.

For us, the following sentence is of great explosiveness:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead

https://tools.ietf.org/html/rfc2818
Continue reading „DNS-Namen automatisch in den Subject Alternate Name (SAN) ausgestellter Zertifikate eintragen – mit dem TameMyCerts Policy Modul für Microsoft Active Directory Certificate Services (ADCS)“
en_USEnglish
de_DEDeutsch en_USEnglish