Certificate usage - Uwe Gradenegger

Automatically enter DNS names in the Subject Alternate Name (SAN) of issued certificates - with the TameMyCerts Policy Module for Microsoft Active Directory Certificate Services (ADCS)

Google is a major player with the Chromium project and products based on it such as Google Chrome and Microsoft Edge have moved to implement the RFC 2818 and to no longer trust certificates that no longer fulfill the RFC.

For us, the following sentence is of great explosiveness:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead
https://tools.ietf.org/html/rfc2818

Change the Subject Alternative Name (SAN) of a certificate before it is issued - but do it securely!

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommend that the flag EDITF_ATTRIBUTESUBJECTALTNAME2 should be set on the certification authority - supposedly to be able to issue certificates with Subject Alternative Name (SAN) extension for manually submitted certificate requests.

Unfortunately, this procedure is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory structure.

Configuring a Certificate Template for Online Responders (OCSP) Response Signing Certificates

To use the Online Certificate Status Protocol (OCSP), it is necessary to configure an appropriate certificate template.

Sending S/MIME encrypted messages with Outlook for iOS is not possible: "There's a problem with one of your S/MIME encryption certificates."

Assume the following scenario:

The certificates were transferred to the smartphone via the Intune Connector.
Reading encrypted messages works.
However, when enabling encryption for outgoing messages, the following error message is displayed:

There's a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more info.

There is a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more information.

Logins via the Network Policy Server (NPS) fail with reason "Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

Assume the following scenario:

A certificate-based login is performed with user or computer accounts to connect them to a wireless (IEEE 802.11 or Wireless LAN) or wired network (IEEE 802.3), or a remote access connection (e.g. DirectAccess, Routing and Remote Access (RAS), Always on VPN) to register.
The company uses Microsoft's Network Policy Server (NPS) as its Authentication, Authorization and Accounting (AAA) server.
Logging on to the network is no longer possible.
The network policy server logs the following event when a login attempt is made:

Network Policy Server denied access to a user. [...] Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

The network policy server has denied access to a user. [...] Authentication error due to mismatch of user credentials. The specified username is not associated with an existing user account, or the password was incorrect.

Subsequent archiving of private keys

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with appropriate certificates for this purpose.

An important aspect here is that the users' private keys should be secured centrally - in contrast to the signature certificates that are otherwise mostly used. Incoming messages are encrypted for a specific private key and can only be decrypted again by the same person. Thus a backup of these keys must absolutely be available - also for the Synchronization to mobile devices this is indispensable. For this purpose, the Microsoft Active Directory Certificate Services offer the function of the Private Key Archival.

But what if private key archiving has not been set up and users have already applied for corresponding certificates?

Requesting certificates for endpoints managed with Microsoft Intune

In a networked world, it has become standard to work from anywhere, and also to work with mobile end devices such as smartphones or tablets in addition to classic desktop computers. Such end devices are usually connected by means of Mobile Device Management (MDM) managed by systems such as Microsoft Intune.

In most cases, users of mobile devices need digital certificates to prove their identity in order to gain access to corporate resources. Thus, it is necessary to provide these devices with an automatable yet secure interface for applying for these certificates.

Transferring S/MIME certificates to Microsoft Intune

In a modern networked world, the confidential transmission of messages in the corporate environment is essential for business success. Despite their Age it is still impossible to imagine modern corporate communications without e-mail. However, its use has changed significantly over the decades.

Nowadays, it is common to be able to read and write business e-mails on mobile devices such as smartphones and tablets. Such end devices are usually connected by means of Mobile Device Management (MDM) managed by systems such as Microsoft Intune.

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with the corresponding certificates. How do these certificates get to the end devices of the users in a scalable way?

Details of the event with ID 41 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:	Microsoft Windows Kerberos Key Distribution Center
Event ID:	41 (0x80000029)
Event log:	System
Event type:	Warning or error
Event text (English):	The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 User SID: %2 Certificate Subject: %3 Certificate Issuer: %4 Certificate Serial Number: %5 Certificate Thumbprint: %6 Certificate SID: %7
Event text (German):	The Key Distribution Center (KDC) found a valid user certificate, but it contained a different SID than the user it is assigned to. As a result, an error occurred in the request involving the certificate. For more information, see https://go.microsoft.com/fwlink/?linkid=2189925 User: %1 User SID: %2 Certificate requester: %3 Certificate issuer: %4 Certificate serial number: %5 Certificate fingerprint: %6 Certificate SID: %7

Details of the event with ID 40 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:	Microsoft Windows Kerberos Key Distribution Center
Event ID:	40 (0x80000028)
Event log:	System
Event type:	Warning or error
Event text (English):	The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). The certificate also predated the user it mapped to, so it was rejected. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 Certificate Subject: %2 Certificate Issuer: %3 Certificate Serial Number: %4 Certificate Thumbprint: %5 Certificate Issuance Time: %6 Account Creation Time: %7
Event text (German):	The Key Distribution Center (KDC) found a valid user certificate, but it could not be mapped to a user in a secure way (for example, via an explicit mapping, key trust mapping, or SID). The certificate also prefixed the user it was associated with, which is why it was rejected. For more information, see https://go.microsoft.com/fwlink/?linkid=2189925. User: %1 Certificate requester: %2 Certificate issuer: %3 Certificate serial number: %4 Certificate fingerprint: %5 Certificate issuance time: %6 Account creation time: %7

Details of the event with ID 39 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center

Event Source:	Microsoft Windows Kerberos Key Distribution Center
Event ID:	39 (0x80000027)
Event log:	System
Event type:	Warning or error
Event text (English):	The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more. User: %1 Certificate Subject: %2 Certificate Issuer: %3 Certificate Serial Number: %4 Certificate Thumbprint: %5
Event text (German):	The Key Distribution Center (KDC) has found a valid user certificate, but it could not be mapped to a user in a secure way (for example, via an explicit mapping, a key trust mapping, or an SID). Such certificates should either be replaced or mapped directly to the user via an explicit mapping. For more information, see https://go.microsoft.com/fwlink/?linkid=2189925 User: %1 Certificate requester: %2 Certificate issuer: %3 Certificate serial number: %4 Certificate fingerprint: %5

Character encoding in the Subject Distinguished Name of certificate requests and issued certificates

Usually, the encoding of characters and strings in certificates is not a topic of great interest to the users of a PKI. However, there are cases where the default settings of the certification authority do not provide the desired results.

List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known

As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.

Below is a list of use cases for which I am aware of compatibility.

Configuring the Network Device Enrollment Service (NDES) to work with a domain account.

The Network Device Enrollment Service (NDES), because it implements the web-based Simple Certificate Enrollment Protocol (SCEP), is mapped as a web application in Microsoft Internet Information Service (IIS). Here, the service runs in an application pool called "SCEP". In many cases it is sufficient to use the integrated application pool identity for it.

However, there are cases where you want to use a domain account. An example of this is the Certificate Connector for Microsoft Intune, which requires this.

The Certificate Connector for Microsoft Intune throws the error message "ArgumentException: String cannot be of zero length" during configuration.

Assume the following scenario:

An NDES server has been set up for use with Microsoft Intune.
The configuration of the Intune Certificate Connector cannot be completed because the following error message is thrown:

Error in Microsoft Intune Certificate Connector configuration. No changes were made to feature or proxy settings.
Unexpected error: System.ArgumentException: The string cannot have a length of 0 (zero).
Parameter name: name
  for System.Security.Principal.NTAccount.ctor(String name)