Category: Certification Authority

Overview of the availability of options when changing the compatibility settings of a certificate template

Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.

The following is an overview of which options become available in each case when the compatibility settings for the certificate authority and/or the certificate recipients are changed.

Continue reading „Übersicht über die Verfügbarkeit von Optionen bei Veränderung der Kompatibilitätseinstellungen einer Zertifikatvorlage“

In-Place Upgrade of a Certification Authority from Windows Server 2012 R2 or 2016 to Windows Server 2019

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2012 R2 oder 2016 zu Windows Server 2019“

In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2012 SP2 oder 2012 R2 zu Windows Server 2016“

In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2008 SP2 zu Windows Server 2008 R2“

In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2008 SP2 zu Windows Server 2012“

In-Place Upgrade of a Certification Authority from Windows Server 2008 R2 to Windows Server 2012 R2

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

Continue reading „In-Place Upgrade einer Zertifizierungsstelle von Windows Server 2008 R2 zu Windows Server 2012 R2“

Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system

Assume the following scenario:

  • An in-place upgrade of the certification authority's operating system is performed.
  • After the upgrade I can no longer log in via Remote Desktop. The connection fails with the following error message:
An authentication error has occurred.
The function requested is not supported.
Remote Computer: 192.168.1.149
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

In German:

Authentifizierungsfehler.
Die angeforderte Funktion wird nicht unterstützt.
Remotecomputer: 192.168.1.149
Ursache könnte eine CredSSP Encryption Oracle-Abwehr sein.
Weitere Informationen finden Sie unter https://go.microsoft.com/fwlink/?linkid=866660
Continue reading „Keine Remotedesktopverbindung mehr möglich nach In-Place Upgrade des Windows Server Betriebssystems“

Certificate request fails with error message "Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)".

Assume the following scenario

  • A certificate request is sent to a certification authority.
  • The certificate request fails with the following error message:
Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)““

Token for CDP and AIA configuration of a certification authority

The following is an overview of the tokens for the CDP and AIA configuration of a certification authority.

Continue reading „Token für die CDP- und AIA- Konfiguration einer Zertifizierungsstelle“

Overview of audit events generated by the Certification Authority

The following is an overview of the audit events generated by the certification authority in the Windows Event Viewer.

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Übersicht über die von der Zertifizierungsstelle generierten Audit-Ereignisse“

Configuring the certificate authority to a static port (RPC endpoint)

In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

This configuration is not feasible in every enterprise environment. Often there are restrictive firewall rules that do not allow the use of dynamic network ports.

In such a case, the certificate authority must be configured to a static port.

Continue reading „Konfigurieren der Zertifizierungsstelle auf einen statischen Port (RPC-Endpunkt)“

Querying the configured RPC endpoints of a certification authority

In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).

However, it is also possible to configure the certificate authority to a static port (see article "Configuring the certificate authority to a static port (RPC endpoint)„).

The following describes how to check the current configuration of the certification authority.

Continue reading „Abfrage der konfigurierten RPC-Endpunkte einer Zertifizierungsstelle“

Classification of ADCS components in the Administrative Tiering Model

If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.

Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“
en_USEnglish
de_DEDeutsch en_USEnglish