Category: Certificate usage

Microsoft Outlook: "This message cannot be encrypted or signed by Microsoft Outlook because there are no certificates for sending messages from the email address [...]."

Assume the following scenario:

  • A user wants to send a signed e-mail
  • The operation fails with the following error message:
Diese Nachricht kann von Microsoft Outlook weder verschlüsselt noch signiert werden, da keine Zertifikate für das Senden von Nachrichten von der E-Mail Adresse "rudi.ratlos@adcslabor.de" vorhanden sind. Fordern Sie entweder eine neue digitale ID für dieses Konto an, oder verwenden Sie die Schaltfläche "Konten", um die Nachricht mithilfe eines Kontos zu senden, für das Sie Zertifikate besitzen.
Continue reading „Microsoft Outlook: „Diese Nachricht kann von Microsoft Outlook weder verschlüsselt noch signiert werden, da keine Zertifikate für das Senden von Nachrichten von der E-Mail Adresse […] vorhanden sind.““

The "Application Policies" certificate extension

The purposes for which a digital certificate may be used are controlled via the certificate extensions "Key Usage" and "Extended Key Usage".

In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Continue reading „Die „Application Policies“ Zertifikaterweiterung“

New certificates are regularly requested via Autoenrollment

Assume the following scenario:

  • A certificate template is configured for automatic request and issuance (AutoEnrollment).
  • Users or computers apply for new certificates at regular intervals and long before the defined renewal period.
Continue reading „Es werden regelmäßig neue Zertifikate über Autoenrollment beantragt“

The key algorithm of certificate requests is not checked by the certification authority's policy module

Assume the following scenario:

  • A certificate template is configured to use elliptic curve based keys (e.g. ECDSA_P256).
  • As a result, a minimum key length of 256 bits is configured.
  • Nevertheless, certificate requests that use other ECC curves or RSA-based keys are also signed.
Continue reading „Der Schlüsselalgorithmus von Zertifikatanforderungen wird vom Policy Modul der Zertifizierungsstelle nicht überprüft“

SignTool installation without Windows Software Development Kit (SDK) installation

One way to perform code signatures is to use the SignTool command line tool. This is part of the Windows 10 Software Development Kit (SDK).

If you want to use the tool on a system without having to install Visual Studio or the Windows SDK, you can proceed as follows.

Continue reading „SignTool Installation ohne Installation des Windows Software Development Kit (SDK)“

Certificate request fails with error message "The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)".

Assume the following scenario:

  • A certificate is requested from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The request fails with the following error message:
An error occurred while enrolling for a certificate.
The certificate request could not be submitted to the certification authority.
Url: CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1
Error: The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)““

Automatic renewal of manually requested certificates without intervention of a certificate manager

Assuming a use case is implemented for certificates where users specify the identity contained in the certificate in the certificate request, and this requires manual intervention by the certificate managers, the question arises as to how to proceed when the certificates expire or the certificate template is moved to another certification authority in order to minimize tickets at the help desk and thus the resulting work for the certificate managers.

Continue reading „Automatische Erneuerung manuell beantragter Zertifikate ohne Eingriff eines Zertifikatmanagers“

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Internal error." appears.

Assume the following scenario:

  • A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The message cannot be opened.
  • When opening the message, the following error message is displayed:
Leider besteht ein Problem beim Öffnen dieses Elements. Dies kann vorübergehend sein. Wenn dieser Fehler erneut auftritt, sollten Sie Outlook neu starten. Fehler im zugrunde liegenden Sicherheitssystem. Interner Fehler.
Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Interner Fehler.““

S/MIME with the Outlook app for Apple IOS and Android only possible with devices managed via Intune

If you want to make S/MIME certificates available to your users on the smartphone as well, you may be surprised to discover that this is not possible with the Outlook app unless you also use Microsoft Intune as a management solution for the devices.

Microsoft has published in an article "Sensitivity labeling and protection in Outlook for iOS and Android" now clarified that this is due to the respective system architecture.

Continue reading „S/MIME mit der Outlook App für Apple IOS und Android nur mit über Intune verwalteten Geräten möglich“

What does the "Enable Certificate Privacy" option mean when exporting certificates?

With Windows Server 2016 and Windows 10, a new "Enable Certificate Privacy" option has been implemented for exporting private key certificates via the Microsoft Management Console (MMC).

When exporting private key certificates, the certificate is exported to a PKCS#12 (.PFX) file.

Continue reading „Was bedeutet die Option „Enable Certificate Privacy“ beim Zertifikatexport?“

Google Chrome reports error code "ERR_SSL_PROTOCOL_ERROR" when calling a web page

Assume the following scenario:

  • A web page is accessed using Google Chrome.
  • The connection setup fails with the following error message:
Diese Website kann keine sichere Verbindung bereitstellen
test.intra.adcslabor.de hat eine ungültige Antwort gesendet.
Versuchen Sie, die Windows-Netzwerkdiagnose auszuführen.
ERR_SSL_PROTOCOL_ERROR
Continue reading „Google Chrome meldet Fehlercode „ERR_SSL_PROTOCOL_ERROR“ beim Aufruf einer Webseite“

Treatment of expired certificates when issuing certificate revocation lists

By default, the Microsoft Certification Authority removes the serial numbers of expired certificates from the revocation lists it issues.

However, there are some exceptions to this.

Continue reading „Behandlung abgelaufener Zertifikate bei der Ausstellung von Zertifikatsperrlisten“

List of use cases for certificates that require specific Cryptographic Service Providers (CSP) or Key Storage Providers (KSP).

Windows Server 2008, along with NSA Suite B algorithms (also known as Cryptography Next Generation, CNG) with Key Storage Providers, introduced a new, modern interface for generating, storing, and using private keys in the Windows ecosystem.

In most cases, it does not matter which CSP or KSP is used for certificates. However, some applications will not work or will not work correctly if the wrong provider is chosen.

Below is a list of use cases I know of for certificates that only work with a specific Cryptographic Service Provider (CSP) or Key Storage Provider (KSP).

Continue reading „Liste der Use Cases für Zertifikate, die bestimmte Cryptographic Service Provider (CSP) oder Key Storage Provider (KSP) benötigen“

Inspect TLS traffic with Wireshark (decrypt HTTPS)

When troubleshooting, it can be very helpful to view encrypted SSL connections in order to inspect the messages within. There is a relatively simple way to do this with Wireshark.

Continue reading „TLS-Datenverkehr mit Wireshark inspizieren (HTTPS entschlüsseln)“
en_USEnglish
de_DEDeutsch en_USEnglish