Category: Certificate usage

Description of the EDITF_ADDOLDKEYUSAGE flag

When installing a subordinate certificate authority, you may encounter the following behavior:

  • One requests a Key Usage extension that is marked as critical, for example, or does not include DigitalSignature.
  • However, the certificate issued by the parent certificate authority includes DigitalSignature, and the Key Usage extension is marked as non-critical.
  • The parent certification authority is a standalone certification authority, i.e. without Active Directory integration.
Continue reading „Beschreibung des Flags EDITF_ADDOLDKEYUSAGE“

How secure is the "Allow private key to be exported" setting in the certificate templates?

PKI administrators often assume that the option in the certificate template to not allow the private key for export is mandatory.

Continue reading „Wie sicher ist die Einstellung „Allow private key to be exported“ in den Zertifikatvorlagen?“

Overview of the different generations of domain controller certificates

Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.

  • Domain controller
  • Domain Controller Authentication
  • Kerberos Authentication

Below is a description of each template and a recommendation for configuring domain controller certificate templates.

Continue reading „Übersicht über die verschiedenen Generationen von Domänencontroller-Zertifikaten“

certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • Domain controllers have certificates for LDAP over SSL.
  • The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
  • If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Manual application for a domain controller certificate

There are cases where you cannot or do not want to obtain domain controller certificates from a certification authority in your own Active Directory forest.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Domänencontroller-Zertifikats“

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

  • Requesting a certificate for a domain controller fails.
  • On the certification authority, the certificate request is logged in the failed requests. The error message reads:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats für Domänencontroller schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““
en_USEnglish
de_DEDeutsch en_USEnglish