Author: Uwe Gradenegger

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 500 "Internal Server error".

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The request takes a very long time and finally fails with HTTP code 500 "Internal server error":
There is a problem with the resource you are looking for, and it cannot be displayed.
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit HTTP Fehlercode 500 „Internal Server error““

Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.

The following describes how to set up Certificate Authority Web Enrollment (CAWE) so that the service runs under a domain account.

Continue reading „Die Zertifizierungsstellen-Webregistrierung (CAWE) für die Verwendung mit einem Domänenkonto konfigurieren“

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "ERROR_ACCESS_DENIED".

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The request fails with the following error message:
Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit Fehlercode „ERROR_ACCESS_DENIED““

Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CAWE with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Die Zertifizierungsstellen-Webregistrierung (CAWE) für die Verwendung mit einem Group Managed Service Account (gMSA) konfigurieren“

Windows security permissions required for Certificate Authority Web Enrollment (CAWE)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact Certificate Authority Web Enrollment (CAWE).

Continue reading „Benötigte Windows-Sicherheitsberechtigungen für die Zertifizierungsstellen-Webregistrierung (CAWE)“

Required firewall rules for the Network Device Enrollment Service (NDES)

Implementing a Network Device Enrollment Service (NDES) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Required Firewall Rules for Certificate Enrollment Policy (CEP) Web Service

Implementing a Certificate Enrollment Policy (CEP) web service often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für den Zertifikatregistrierungsrichtlinien-Webdienst (CEP)“

Required firewall rules for the Certificate Enrollment Web Service (CES)

Implementing a Certificate Enrollment Web Service (CES) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für den Zertifikatregistrierungs-Webdienst (CES)“

Required firewall rules for the online responder (OCSP)

Implementing an online responder (OCSP) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für den Onlineresponder (OCSP)“

Enabling Secure Sockets Layer (SSL) for Certificate Authority Web Enrollment (CAWE).

In the default configuration, Certificate Authority Web Enrollment (CAWE) accepts only unencrypted connections via HTTP. It is recommended that the CAWE be configured for HTTP over TLS (HTTPS) to make network traffic interception more difficult. Instructions are provided below.

Continue reading „Secure Sockets Layer (SSL) für die Zertifizierungsstellen-Webregistrierung (CAWE) aktivieren“

Requesting certificates via the Certification Authority Web Enrollment (CAWE) takes a very long time

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The process is successful, but the application takes a long time (up to several minutes).
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) dauert sehr lange“

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "RPC_S_SERVER_UNAVAILABLE".

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The request fails with the following error message:
Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit Fehlercode „RPC_S_SERVER_UNAVAILABLE““

Required firewall rules for Certification Authority Web Enrollment (CAWE)

Implementing Certificate Authority Web Enrollment (CAWE) often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für die Zertifizierungsstellen-Webregistrierung (CAWE)“

Requesting a certificate fails with the error message "You cannot request a certificate at this time because no certificate types are available."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • The logged-in user also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • You don't get any certificate templates to choose from, even though they are correctly published on the certificate authorities.
  • There is also no "Show hidden templates" option. This usually appears at the bottom left of the dialog.
  • The following error message is displayed:
Certificate types are not available. You cannot request a certificate at this time because no certificate types are available. If you need a certificate, contact your administrator.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „You cannot request a certificate at this time because no certificate types are available.““

Publishing a certificate template on a CA fails with error message "The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

  • An administrator publishes a certificate template on a certificate authority.
  • The operation fails with the following error message:
The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Das Veröffentlichen einer Zertifikatvorlage auf einer Zertifizierungsstelle schlägt fehl mit Fehlermeldung „The template information on the CA cannot be modified at this time. This is most likely because the CA service is not running or there are replication delays. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““
en_USEnglish
de_DEDeutsch en_USEnglish