Category: Certification Authority

Removing old certification authority certificates from the configuration of a certification authority

During the lifetime of a certification authority, certification authority certificates are renewed according to the planning for their life cycle. A new key pair can optionally be used here. The previous certification authority certificates expire or are revoked.

Expired certificate authority certificates can become a problem under certain circumstances if, for example, the associated private keys are stored on old hardware security modules (HSM) and these can only be migrated to new hardware with great difficulty.

In such a case, it may be useful to remove old certification authority certificates from the certification authority configuration.

Continue reading „Entfernen alter Zertifizierungsstellen-Zertifikate aus der Konfiguration einer Zertifizierungsstelle“

Create a backup of a certification authority

Professional operation of a Certification Authority also includes the regular creation of backups.

The following describes which components need to be backed up and the associated procedure.

Continue reading „Eine Sicherung (Backup) einer Zertifizierungsstelle erstellen“

Create a backup of the private key of a certification authority

To a Securing a Certification Authority also includes the backup of the private key material. The backup of the private key material is deliberately described separately, since this should be done separately and its backups should also be stored separately from those of the certification authority.

Continue reading „Eine Sicherung (Backup) des privaten Schlüssels einer Zertifizierungsstelle erstellen“

Perform emergency signing of certificate revocation lists

The most important component of a PKI in terms of availability is not the certification authority, as is often assumed, but the revocation list distribution points. If a certification authority is unavailable, initially no new certificates can be issued, but the certificates already issued can continue to be used without hindrance as long as their revocation status can be verified. In addition to the pure availability of the revocation list distribution points, the revocation information must of course also be valid in terms of its signature. Revocation lists have a defined expiration date after which they can no longer be used. If a certification authority has now failed, it can also no longer publish new revocation lists. The process of emergency signing of revocation lists is provided for this case.

Continue reading „Durchführen der Notfallsignierung von Zertifikatsperrlisten“

What impact does the expiry of the revocation list of one of the higher-level Certification Authorities have on the Certification Authority?

Unfortunately, in practice it happens from time to time that the revocation list of a higher-level certification authority expires and a renewal does not take place. This can also happen as planned, for example when an old hierarchy is decommissioned.

Continue reading „Welchen Einfluss hat der Ablauf der Sperrliste einer der übergeordneten Zertifizierungsstellen auf die Zertifizierungsstelle?“

What impact does importing a root certificate into the "Untrusted Certificates" store have on the certification authority?

The following describes the effects on certification authority operation when a root certificate that issued one of the certification authority certificates of a certification authority is imported into the Untrusted Certificates store on the certification authority.

This case may occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Import eines Stammstellenzertifikats in den „Untrusted Certificates“ Speicher auf die Zertifizierungsstelle?“

Queries against the certificate authority database fail with error message "0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

  • One runs a query against the certification authority database.
  • The query fails with the following error message:
CertUtil: -view command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Abfragen gegen die Zertifizierungsstellen-Datenbank schlagen fehl mit Fehlermeldung „0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““

Export archived private keys from the certification authority database

If private key archiving has been enabled, it may be necessary to export these keys from the certificate authority database and convert them to another format (PKCS#12, PFX), for example for long-term archiving.

Below is a description of the procedure for exporting individual or all archived keys and obtaining the necessary meta-information.

Continue reading „Exportieren archivierter privater Schlüssel aus der Zertifizierungsstellen-Datenbank“

The certification authority service does not start and throws the error message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)"

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)““

Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode

If you want to perform maintenance work such as Migration to another server or perform more extensive configuration changes requiring a functional test on a certification authority, you want to ensure that the certification authority service is running, but at the same time prevent certificates from being automatically requested from and issued by the certification authority during this phase.

Continue reading „Eine Active Directory integrierte Zertifizierungsstelle (Enterprise Certification Authority) in den Wartungsmodus versetzen“

What impact does the revocation of a certification authority certificate have on the certification authority?

The following describes the impact on Certification Authority operations when one of the Certification Authority certificates of a Certification Authority is revoked.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Widerruf eines Zertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

What impact does incorrect revocation information of a certification authority certificate have on the certification authority?

The following describes the effects on certification authority operation if the revocation information for one of the certification authority's certificates cannot be retrieved.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss haben fehlerhafte Sperrinformationen eines Zertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

What impact does the revocation of the trust status of a root certification authority certificate have on the certification authority?

The following describes the impact on certification authority operations if one of the root certification authority certificates from which one of the certification authority certificates is derived has its trust status revoked, or never had it.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Entzug des Vertrauensstatus eines Stammzertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

The certification authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)““

The certification authority service does not start and throws the error message "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)““
en_USEnglish
de_DEDeutsch en_USEnglish