Overview of Windows events generated by the Certificate Enrollment Web Service (CES).

The following is an overview of the events generated by the Certificate Enrollment Web Service (CES) in the Windows Event Viewer.

The events of the Certificate Enrollment Web Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

Continue reading „Übersicht über die vom Zertifikatregistrierungs-Webdienst (CES) generierten Windows-Ereignisse“

Overview of Windows events generated by the Network Device Enrollment Service (NDES).

The following is an overview of the events generated by the Network Devices Registration Service (NDES) in the Windows Event Viewer.

The events of the Network Devices Registration Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

Continue reading „Übersicht über die vom Registrierungsdienst für Netzwerkgeräte (NDES) generierten Windows-Ereignisse“

Overview of Windows events generated by the online responder (OCSP)

The following is an overview of the events generated by the online responder (OCSP) in the Windows Event Viewer.

The events of the online responder are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

Continue reading „Übersicht über die vom Onlineresponder (OCSP) generierten Windows-Ereignisse“

Combination online responder (OCSP) with delta CRL and revocation list distribution point (CDP) without delta brevocation list for increased resilience

OCSP responses from a Microsoft OCSP resonder are valid for exactly as long as the underlying revocation list. In some scenarios, you may want to reduce OCSP validity times by using delta CRLs. At the same time, however, no delta CRL should be used for the revocation lists entered in the CDP paths in order to enable a fallback to a CRL with a longer validity.

Continue reading „Kombination Onlineresponder (OCSP) mit Delta CRL und Sperrlistenverteilpunkt (CDP) ohne Deltasperrliste für gesteigerte Resilienz“

Effects of the failure of the online responder (OCSP) on the verification of the revocation status of a certificate

The following section examines how the revocation status check behaves if the online responder should fail. Depending on the configuration of the certificates issued, the behavior can vary considerably.

Continue reading „Auswirkungen des Ausfalls des Onlineresponders (OCSP) auf die Überprüfung des Sperrstatus eines Zertifikats“

Performing a functional test for the network device registration service (NDES)

After installing a Network Device Enrollment Service (NDES), or after more extensive maintenance, an extensive functional test should be performed to ensure that all components are operating as desired.

Continue reading „Funktionstest durchführen für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Configuring the Network Device Enrollment Service (NDES) for use with an alias.

The following describes the steps required to configure the Network Device Enrollment Service (NDES) for use with an alias.

The term alias means that the service is not called with the name of the server on which it is installed, but with a generic name independent of this name. The use of an alias allows the service to be moved to another system at a later time without having to inform all participants of the new address.

Continue reading „Den Network Device Enrollment Service (NDES) für die Verwendung mit einem Alias konfigurieren“

Configuring the certificate authority to a static port (RPC endpoint)

In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

This configuration is not feasible in every enterprise environment. Often there are restrictive firewall rules that do not allow the use of dynamic network ports.

In such a case, the certificate authority must be configured to a static port.

Continue reading „Konfigurieren der Zertifizierungsstelle auf einen statischen Port (RPC-Endpunkt)“

Querying the configured RPC endpoints of a certification authority

In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).

However, it is also possible to configure the certificate authority to a static port (see article "Configuring the certificate authority to a static port (RPC endpoint)„).

The following describes how to check the current configuration of the certification authority.

Continue reading „Abfrage der konfigurierten RPC-Endpunkte einer Zertifizierungsstelle“

Classification of ADCS components in the Administrative Tiering Model

If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.

Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“

Manually requesting a Remote Desktop (RDP) certificate

There are cases in which you cannot or do not want to obtain Remote Desktop certificates from a certificate authority in your own Active Directory forest, for example, if the system in question is not a domain member.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Remotedesktop (RDP) Zertifikats“

Creation of a manual certificate request fails with error message "Expected INF file section name 0xe0000000".

Assume the following scenario:

  • An information file for a manual certificate request is created.
  • Creating the certificate request using the file fails with the following error message:
Expected INF file section name 0xe0000000 (INF: -536870912)
Continue reading „Die Erstellung einer manuellen Zertifikatanforderung schlägt fehl mit Fehlermeldung „Expected INF file section name 0xe0000000““

Send a manually created certificate request to a certification authority

If a certificate request exists, for example after manual generation, in the form of a text file (usually with the extension .CSR or .REQ), it can be sent to the certification authority using on-board means.

Continue reading „Eine manuell erstellte Zertifikatanforderung an eine Zertifizierungsstelle senden“
en_USEnglish