For a function test or during troubleshooting, it can be useful to check whether the private key of a certificate is usable. If the key is secured with a hardware security module (HSM), for example, there are significantly more dependencies and possibilities for errors than with a software key.
Continue reading „Überprüfen der Verbindung zum privaten Schlüssel eines Zertifikate (z.B. bei Einsatz eines Hardware Security Moduls)“Category: Certificate usage
Planning of certificate validity and renewal period of end entity certificates with autoenrollment
If autoenrollment is used, participants apply for and renew certificates independently.
Regarding the validity of the certificates and the period for their automatic renewal, there are two values that can be configured in the General tab of a certificate template:
- Validity period: Describes the overall validity of the issued certificate.
- Renewal period: Describes from which time window, viewed backwards from the expiration date of the certificate, automatic renewal is attempted for the first time (e.g. 6 weeks before expiration).
Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)
Assume the following scenario:
- Certificates for domain controllers are issued by an Active Directory integrated certificate authority (Enterprise CA)
- The certificate template used for this purpose was created by the user
- The issued certificates contain in the Subject Alternative Name (SAN) only the fully qualified computer name of the respective domain controller, but not the fully qualified name and the NETBIOS name of the domain
Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".
Assume the following scenario:
- A Certification Authority certificate is requested from a Certification Authority
- The certificate request fails with the following error message:
The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)Continue reading „Die Beantragung eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „The certification authority’s certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)““
Denied by Policy Module
Configure Path Length Constraint for Certificates Issued by a Certification Authority
For stronger control over the certificates that can be issued by a certification authority, a path length constraint can be set up so that certification authorities above a defined hierarchy level are no longer able to issue subordinate certification authority certificates
For an explanation of how the path length constraint works, see the article "Basics: Path Length Constraint"..
Continue reading „Einschränkung der Pfadlänge (Path Length Constraint) für von einer Zertifizierungsstelle ausgestellte Zertifikate konfigurieren“Configuring a Certificate Template for Remote Desktop (RDP) Certificates
To use Remote Desktop certificates, it is necessary to configure an appropriate certificate template.
Continue reading „Konfigurieren einer Zertifikatvorlage für Remotedesktop (RDP) Zertifikate“Identify the active Remote Desktop (RDP) certificate
If one has a Remote Desktop Certificate Template and a appropriate group guidelines configured, or manually assigned a remote desktop certificateYou may want to verify that the certificates on the participating computers are being used correctly by the Remote Desktop session host.
Continue reading „Identifizieren des aktiven Remotedesktop (RDP) Zertifikats“Configuring a Group Policy (GPO) for Remote Desktop (RDP) Certificates
After configuring a certificate template for the distribution of Remote Desktop certificates (see the article "Configuring a Certificate Template for Remote Desktop (RDP) Certificates"), a group policy is still required that instructs the participating computers to also use the certificates originating from the template.
Continue reading „Konfigurieren einer Gruppenrichtlinie (GPO) für Remotedesktop (RDP) Zertifikate“Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)
The following describes how to restore a certificate authority certificate with software key.
Restoring the certification authority certificate may be necessary for the following reasons:
- Restore a certification authority from a backup
- Migration of the certification authority to a new server
- Emergency signing of the blacklists on another computer
Restoration of a certification authority certificate with software key
The following describes how to restore a certificate authority certificate with software key.
Restoring the certification authority certificate may be necessary for the following reasons:
- Restore a certification authority from a backup
- Migration of the certification authority to a new server
- Emergency signing of the blacklists on another computer
What impact does the expiration of one of the Certification Authority certificates have on the Certification Authority?
Certification authority certificates have a defined start and end date, so it is inevitable during the lifecycle of a certification authority that certification authority certificates will expire.
The following describes the impact of an expiring Certification Authority certificate on the Certification Authority.
Continue reading „Welchen Einfluss hat der Ablauf eines der Zertifizierungsstellen-Zertifikate auf die Zertifizierungsstelle?“Have certificate holders automatically renew all certificates issued for a certificate template
When operating a certification authority, it may be necessary to renew all issued certificates for a specific certificate template, for example due to major configuration changes or a change of the issuing certification authority. The following describes a mechanism with which this can be achieved automatically.
Continue reading „Alle für eine Zertifikatvorlage ausgestellten Zertifikate automatisch von den Zertifikatinhabern erneuern lassen“What impact does the expiry of the revocation list of one of the higher-level Certification Authorities have on the Certification Authority?
Unfortunately, in practice it happens from time to time that the revocation list of a higher-level certification authority expires and a renewal does not take place. This can also happen as planned, for example when an old hierarchy is decommissioned.
Continue reading „Welchen Einfluss hat der Ablauf der Sperrliste einer der übergeordneten Zertifizierungsstellen auf die Zertifizierungsstelle?“What impact does importing a root certificate into the "Untrusted Certificates" store have on the certification authority?
The following describes the effects on certification authority operation when a root certificate that issued one of the certification authority certificates of a certification authority is imported into the Untrusted Certificates store on the certification authority.
This case may occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.
Continue reading „Welchen Einfluss hat der Import eines Stammstellenzertifikats in den „Untrusted Certificates“ Speicher auf die Zertifizierungsstelle?“Export archived private keys from the certification authority database
If private key archiving has been enabled, it may be necessary to export these keys from the certificate authority database and convert them to another format (PKCS#12, PFX), for example for long-term archiving.
Below is a description of the procedure for exporting individual or all archived keys and obtaining the necessary meta-information.
Continue reading „Exportieren archivierter privater Schlüssel aus der Zertifizierungsstellen-Datenbank“
English 
Deutsch