Manually requesting a web server certificate

There are cases in which you cannot or do not want to obtain web server certificates directly from a certification authority in your own Active Directory forest via the Microsoft Management Console, for example if the system in question is not a domain member.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Webserver-Zertifikats“

Details of the event with ID 4 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:4 (0x425A0004)
Event log:Application
Event type:Information
Event text (English):Certificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed.
Event text (German):Certificate enrollment for %1 could not access local resources or retrieve certificate template information for %2 (%3). No registration is performed.
Continue reading „Details zum Ereignis mit ID 4 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 13 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:13 (0xC25A000D)
Event log:Application
Event type:Error
Event text (English):Certificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5).
Event text (German):The certificate enrollment for %1 failed to enroll for a certificate %2 with request ID %4 of %3 (%5).
Continue reading „Details zum Ereignis mit ID 13 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 57 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:57 (0x825A0039)
Event log:Application
Event type:Information, Warning and Error
Event text (English):The "%2" provider was not loaded because initialization failed.
Event text (German):The "%2" provider was not loaded due to an initialization error.
Continue reading „Details zum Ereignis mit ID 57 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 82 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:82 (0x825A0052)
Event log:Application
Event type:Warning
Event text (English):Certificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3
Event text (German):Certificate registration error for %1 when authenticating for all URLs for the registration server associated with the following policy ID: %2 (%4). Error registering for template: %3
Continue reading „Details zum Ereignis mit ID 82 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Certificate request fails with error message "A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • A certificate is requested from a certification authority.
  • The certificate is successfully issued by the Certification Authority.
  • However, when installing the certificate on the target system, the following error message occurs:
A certificate issued by the certification authority cannot be installed. Contact your administrator.
Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Requesting a certificate protected by a Trusted Platform Module (TPM) - without owning a TPM

Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.

However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.

However, the configuration in the certificate template is merely a default setting for the client. The certification authority will not explicitly check whether a trusted platform module has actually been used when a request is made.

Thus - if the certificate request is done away from the MMC - arbitrary parameters can be used for the private key.

Continue reading „Beantragen eines durch ein Trusted Platform Modul (TPM) geschütztes Zertifikat – ohne ein TPM zu besitzen“

Requesting a certificate is not possible because the certificate template is not displayed. The error message is "Can not find a valid CSP in the local machine."

Assume the following scenario:

  • A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
  • Autoenrollment does not request a certificate from the desired certificate template, although it is enabled and the permissions are set accordingly.
  • The desired certificate template is not displayed when applying manually via the Microsoft Management Console (MMC). If the "Show all templates" check box is selected, the following error message is displayed for the desired certificate template:
Cannot find object or property.
Can not find a valid CSP in the local machine.
Continue reading „Die Beantragung eines Zertifikats ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „Can not find a valid CSP in the local machine.““

Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).

Since Windows 8, it has been possible for private keys for certificates to be protected with a - if available - Trusted Platform Module (TPM). This ensures that the key is truly non-exportable.

The process for setting up a certificate template that uses a Trusted Platform module is described below.

Continue reading „Konfigurieren einer Zertifikatvorlage für die Verwendung des Microsoft Platform Crypto Provider, um Schutz des privaten Schlüssels durch ein Trusted Platform Module (TPM) zu ermöglichen“

Requesting a Trusted Platform Module (TPM) protected certificate fails with error message "The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)"

Assume the following scenario:

  • A certificate template is configured to use the Microsoft Platform Crypto Provider, so the private key generated when the certificate is requested is protected with a Trusted Platform Module (TPM).
  • However, certificate request fails with the following error message:
An error occurred while enrolling for a certificate.
A certificate request could not be created.
Url: CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1
Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
Continue reading „Die Beantragung eines Trusted Platform Module (TPM) geschützten Zertifikats schägt fehl mit Fehlermeldung „The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)““

Google Chrome and Microsoft Edge do not check certificate revocation state

More and more companies are using the Google Chrome browser or the new Chromium-based Microsoft Edge (codename Anaheim) on.

When distributing one of these two browsers, it should be noted that they sometimes behave differently from other browsers in terms of certificates.

Besides the fact that Chromium, unlike Internet Explorer and the previous Edge (codename Spartan) the RFC 2818 enforces, it also behaves in the Checking blocking information different.

Continue reading „Google Chrome und Microsoft Edge prüfen Sperrstatus von Zertifikaten nicht“

Signing certificates bypassing the certification authority

Time and again in discussions about the security of a certification authority, it comes up that abuse of the certification authority could be contained by its security settings.

However, the fact that the integrity of a certification authority is directly tied to its key material and can therefore also be compromised by it is not obvious at first glance.

one must think of the certification authority software as a kind of management around the key material. For example, the software provides a Online interface for Certificate Enrollment takes care of the authentication of the enrollees, the automated execution of signature operations (issuing certificates and Brevocation lists) and their logging (Certification Authority Database, Audit log, Event log).

However, signature operations require nothing more than the private key of the certification authority. The following example shows how an attacker, given access to the certification authority's private key, can generate and issue certificates without the certification authority software and its security mechanisms being aware of this.

With such a certificate, it would even be possible in the worst case, take over the Active Directory forest undetected.

Continue reading „Signieren von Zertifikaten unter Umgehung der Zertifizierungsstelle“

Moving the certification authority database to another directory or drive

In the operation of a certification authority, one may find that it is necessary to subsequently change the storage path for the certification authority database. For example, one may want to move the database to another partition/drive.

Continue reading „Verschieben der Zertifizierungsstellen-Datenbank in ein anderes Verzeichnis oder auf ein anderes Laufwerk“

Microsoft Outlook: View which algorithm was used for an S/MIME encrypted or signed email

Below is a description of where it is possible to view which symmetric algorithm was used to encrypt an email received, and which hash algorithm was used for a signed email.

Continue reading „Microsoft Outlook: Einsehen, welcher Algorithmus für eine S/MIME verschlüsselte oder signierte E-Mail verwendet wurde“

Microsoft Outlook: Control the encryption algorithm used for S/MIME.

When S/MIME certificates are issued, they usually contain a certificate extension "S/MIME Capabilities". This certificate extension is specified in RFC 4262 and can be used by compatible e-mail programs to specify the symmetric algorithms supported by the recipient of an encrypted message. The sender should then choose the strongest algorithm supported by the recipient.

Microsoft Outlook uses (if available and required) the information in the "S/MIME Capabilities" extension of a certificate. Below is a description of how it is used and which algorithms are selected.

Continue reading „Microsoft Outlook: Den verwendeten Verschlüsselungsalgorithmus für S/MIME steuern“
en_USEnglish