Category: Certificate usage

What impact does the expiration of one of the Certification Authority certificates have on the Certification Authority?

Certification authority certificates have a defined start and end date, so it is inevitable during the lifecycle of a certification authority that certification authority certificates will expire.

The following describes the impact of an expiring Certification Authority certificate on the Certification Authority.

Continue reading „Welchen Einfluss hat der Ablauf eines der Zertifizierungsstellen-Zertifikate auf die Zertifizierungsstelle?“

Have certificate holders automatically renew all certificates issued for a certificate template

When operating a certification authority, it may be necessary to renew all issued certificates for a specific certificate template, for example due to major configuration changes or a change of the issuing certification authority. The following describes a mechanism with which this can be achieved automatically.

Continue reading „Alle für eine Zertifikatvorlage ausgestellten Zertifikate automatisch von den Zertifikatinhabern erneuern lassen“

What impact does the expiry of the revocation list of one of the higher-level Certification Authorities have on the Certification Authority?

Unfortunately, in practice it happens from time to time that the revocation list of a higher-level certification authority expires and a renewal does not take place. This can also happen as planned, for example when an old hierarchy is decommissioned.

Continue reading „Welchen Einfluss hat der Ablauf der Sperrliste einer der übergeordneten Zertifizierungsstellen auf die Zertifizierungsstelle?“

What impact does importing a root certificate into the "Untrusted Certificates" store have on the certification authority?

The following describes the effects on certification authority operation when a root certificate that issued one of the certification authority certificates of a certification authority is imported into the Untrusted Certificates store on the certification authority.

This case may occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Import eines Stammstellenzertifikats in den „Untrusted Certificates“ Speicher auf die Zertifizierungsstelle?“

Export archived private keys from the certification authority database

If private key archiving has been enabled, it may be necessary to export these keys from the certificate authority database and convert them to another format (PKCS#12, PFX), for example for long-term archiving.

Below is a description of the procedure for exporting individual or all archived keys and obtaining the necessary meta-information.

Continue reading „Exportieren archivierter privater Schlüssel aus der Zertifizierungsstellen-Datenbank“

The certification authority service does not start and throws the error message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)"

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)““

View and clear the revocation list address cache (CRL URL Cache).

All applications that use the Microsoft Cryptographic Application Programming Interface Version 2 (Crypto API Version 2, CAPI2) have a mechanism for caching certificate revocation information (Certificate revocation lists and OCSP-answers).

Thus, there is no guarantee that, for example, a newly published blacklist will be used by participants before the previous blacklist, which is still in the cache, has expired.

The following describes how to view and influence the blacklist cache.

Continue reading „Den Adress-Zwischenspeicher für Sperrlisten (CRL URL Cache) einsehen und löschen“

What impact does the revocation of a certification authority certificate have on the certification authority?

The following describes the impact on Certification Authority operations when one of the Certification Authority certificates of a Certification Authority is revoked.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Widerruf eines Zertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

What impact does incorrect revocation information of a certification authority certificate have on the certification authority?

The following describes the effects on certification authority operation if the revocation information for one of the certification authority's certificates cannot be retrieved.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss haben fehlerhafte Sperrinformationen eines Zertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

What impact does the revocation of the trust status of a root certification authority certificate have on the certification authority?

The following describes the impact on certification authority operations if one of the root certification authority certificates from which one of the certification authority certificates is derived has its trust status revoked, or never had it.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Entzug des Vertrauensstatus eines Stammzertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

The certification authority service does not start and throws the error message "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)““

Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".

Assume the following scenario:

  • A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority)
  • The certificate request fails with the following error message:
The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““

Certificate request fails with error message "Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)".

Assume the following scenario:

  • A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate template is set up for archiving private keys.
  • The certificate request fails with the following error message:
Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)““

Description of the necessary configuration settings for the "Common PKI" certificate profile

The following is a description of what configuration settings are necessary for a certificate hierarchy based on Active Directory Certificate Services to be compliant with the "Common PKI" standard.

Continue reading „Beschreibung der notwendigen Konfigurationseinstellungen für das „Common PKI“ Zertifikatprofil“

Enabling Secure Sockets Layer (SSL) for Certificate Authority Web Enrollment (CAWE).

In the default configuration, Certificate Authority Web Enrollment (CAWE) accepts only unencrypted connections via HTTP. It is recommended that the CAWE be configured for HTTP over TLS (HTTPS) to make network traffic interception more difficult. Instructions are provided below.

Continue reading „Secure Sockets Layer (SSL) für die Zertifizierungsstellen-Webregistrierung (CAWE) aktivieren“
en_USEnglish
de_DEDeutsch en_USEnglish