Certification body - Page 17

Send a manually created certificate request to a certification authority

If a certificate request exists, for example after manual generation, in the form of a text file (usually with the extension .CSR or .REQ), it can be sent to the certification authority using on-board means.

Performance problems with auditing of "Start and stop Active Directory Certificate Services".

When configuring the auditing settings of a certificate authority, one is inclined to select the "Start and Stop Active Directory Certificate Services" option. However, this option may cause problems in some circumstances.

More than one common name (CN) in the certificate

Nowadays rather a curiosity than really relevant in practice, but it does happen from time to time that you receive certificate requests that contain more than one common name in the subject. Even though it may seem surprising, this is quite possible and also RFC compliant.

The SMTP Exit module does not work on Windows Server Core

Assume the following scenario:

A certificate authority is installed on Windows Server Core.
The SMTP file supplied with the certification authority is used. Exit module configured.
However, the Certification Authority does not send e-mails.
In the event log, the Event no. 46 logged with the following error message:

The "Windows default" Exit Module "Initialize" method returned an error. Class not registered The returned status code is 0x80040154 (-2147221164). The Certification Authority was unable to initialize email messaging objects.

Allow requesting a specific signature key on a certification authority

The Microsoft Certification Authority always signs certificates using the key associated with the most recent Certification Authority Certificate. The signing certificate for an OCSP response should be in accordance with RFC 6960 but signed by the same key as the certificate to be verified:

The CA SHOULD use the same issuing key to issue a delegation certificate as that used to sign the certificate being checked for revocation.
https://tools.ietf.org/html/rfc6960#section-4.2.2.2

However, if the certification authority certificate is renewed and a new key pair is used in the process, it is necessary for the online responder to continue to maintain valid signature certificates for the certificates issued with the previous certification authority certificate, since these are ultimately still valid and must be checked for revocation.

Certificate request fails with error message "The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

A certificate request is sent to a certification authority.
The certificate request fails with the following error message:

Error Parsing Request The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

Certificate request fails with error message "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

A user sends a certificate request to a certificate authority.
The certificate request fails with the following error message:

Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Denied by Policy Module.

Windows Server Migration Matrix for the Certification Authority

At the latest when the End of product support by the manufacturer (Microsoft) approaches, the question arises as to how and to which operating system a certification authority should be migrated.

Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server

Often a certification authority lives significantly longer than the server on which it was installed. Reasons for migrating the certification authority to a new server, i.e. while retaining the data, can be:

Defect or end of life of the server hardware
End of life of the server operating system
Change of the server name

The procedure for migration is described in detail below.

End of product support by the manufacturer (Microsoft)

Each Windows Server operating system has a defined end date after which there is no longer any product support from the manufacturer. Certification authorities are also bound to this date, and should therefore be migrated before this date expires.

The certification authority service does not start and throws the error message "Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)".

Assume the following scenario:

A certification authority is implemented in the network.
The certification authority service does not start.
When trying to start the Certification Authority service, you get the following error message:

Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)

Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.

Create and publish a certificate revocation list

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.