Category: Certificate usage

Chrome and Safari limit SSL certificates to one year validity

Apple recently announced that the Safari browser will only accept certificates with a validity of 398 days in the future, provided they were issued from September 1, 2020.

Mozilla and Google want to implement comparable behavior in their browsers. So the question is whether this change will have an impact on internal certificate authorities - i.e. whether in future internal SSL certificates will also have to follow these rules, as is the case, for example, with the enforcement of the RFC 2818 by Google was the case.

Continue reading „Chrome und Safari limitieren SSL Zertifikate auf ein Jahr Gültigkeit“

More than one common name (CN) in the certificate

Nowadays rather a curiosity than really relevant in practice, but it does happen from time to time that you receive certificate requests that contain more than one common name in the subject. Even though it may seem surprising, this is quite possible and also RFC compliant.

Continue reading „Mehr als ein gemeinsamer Name (Common Name, CN) im Zertifikat“

Checking the connection to the private key of a certificate (e.g. when using a hardware security module)

For a function test or during troubleshooting, it can be useful to check whether the private key of a certificate is usable. If the key is secured with a hardware security module (HSM), for example, there are significantly more dependencies and possibilities for errors than with a software key.

Continue reading „Überprüfen der Verbindung zum privaten Schlüssel eines Zertifikate (z.B. bei Einsatz eines Hardware Security Moduls)“

Planning of certificate validity and renewal period of end entity certificates with autoenrollment

If autoenrollment is used, participants apply for and renew certificates independently.

Regarding the validity of the certificates and the period for their automatic renewal, there are two values that can be configured in the General tab of a certificate template:

  • Validity period: Describes the overall validity of the issued certificate.
  • Renewal period: Describes from which time window, viewed backwards from the expiration date of the certificate, automatic renewal is attempted for the first time (e.g. 6 weeks before expiration).
Continue reading „Planung von Zertifikat-Gültigkeit und Erneuerungs-Zeitraum von End-Entitäts-Zertifikaten mit Autoenrollment“

Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)

Assume the following scenario:

  • Certificates for domain controllers are issued by an Active Directory integrated certificate authority (Enterprise CA)
  • The certificate template used for this purpose was created by the user
  • The issued certificates contain in the Subject Alternative Name (SAN) only the fully qualified computer name of the respective domain controller, but not the fully qualified name and the NETBIOS name of the domain
Continue reading „Zertifikate für Domänencontroller enthalten nicht den Domänennamen im Subject Alternative Name (SAN)“

Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".

Assume the following scenario:

  • A Certification Authority certificate is requested from a Certification Authority
  • The certificate request fails with the following error message:
The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)
Denied by Policy Module
Continue reading „Die Beantragung eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „The certification authority’s certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)““

Configure Path Length Constraint for Certificates Issued by a Certification Authority

For stronger control over the certificates that can be issued by a certification authority, a path length constraint can be set up so that certification authorities above a defined hierarchy level are no longer able to issue subordinate certification authority certificates

For an explanation of how the path length constraint works, see the article "Basics: Path Length Constraint"..

Continue reading „Einschränkung der Pfadlänge (Path Length Constraint) für von einer Zertifizierungsstelle ausgestellte Zertifikate konfigurieren“

Identify the active Remote Desktop (RDP) certificate

If one has a Remote Desktop Certificate Template and a appropriate group guidelines configured, or manually assigned a remote desktop certificateYou may want to verify that the certificates on the participating computers are being used correctly by the Remote Desktop session host.

Continue reading „Identifizieren des aktiven Remotedesktop (RDP) Zertifikats“

Configuring a Group Policy (GPO) for Remote Desktop (RDP) Certificates

After configuring a certificate template for the distribution of Remote Desktop certificates (see the article "Configuring a Certificate Template for Remote Desktop (RDP) Certificates"), a group policy is still required that instructs the participating computers to also use the certificates originating from the template.

Continue reading „Konfigurieren einer Gruppenrichtlinie (GPO) für Remotedesktop (RDP) Zertifikate“

Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Continue reading „Wiederherstellung eines Zertifizierungsstellenzertifikats mit Hardware Security Modul (HSM)“

Restoration of a certification authority certificate with software key

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Continue reading „Wiederherstellung eines Zertifizierungsstellenzertifikats mit Software-Schlüssel“

What impact does the expiration of one of the Certification Authority certificates have on the Certification Authority?

Certification authority certificates have a defined start and end date, so it is inevitable during the lifecycle of a certification authority that certification authority certificates will expire.

The following describes the impact of an expiring Certification Authority certificate on the Certification Authority.

Continue reading „Welchen Einfluss hat der Ablauf eines der Zertifizierungsstellen-Zertifikate auf die Zertifizierungsstelle?“

Have certificate holders automatically renew all certificates issued for a certificate template

When operating a certification authority, it may be necessary to renew all issued certificates for a specific certificate template, for example due to major configuration changes or a change of the issuing certification authority. The following describes a mechanism with which this can be achieved automatically.

Continue reading „Alle für eine Zertifikatvorlage ausgestellten Zertifikate automatisch von den Zertifikatinhabern erneuern lassen“

What impact does the expiry of the revocation list of one of the higher-level Certification Authorities have on the Certification Authority?

Unfortunately, in practice it happens from time to time that the revocation list of a higher-level certification authority expires and a renewal does not take place. This can also happen as planned, for example when an old hierarchy is decommissioned.

Continue reading „Welchen Einfluss hat der Ablauf der Sperrliste einer der übergeordneten Zertifizierungsstellen auf die Zertifizierungsstelle?“
en_USEnglish
de_DEDeutsch en_USEnglish