Character encoding in the Subject Distinguished Name of certificate requests and issued certificates

Usually, the encoding of characters and strings in certificates is not a topic of great interest to the users of a PKI. However, there are cases where the default settings of the certification authority do not provide the desired results.

Continue reading „Zeichenkodierung im Subject Distinguished Name von Zertifikatanforderungen und ausgestellten Zertifikaten“

Cause research: Snipping Tool and other components in Windows 11 no longer usable due to expired certificate

Today went through many Mediathat some apps and components in the recently released Windows 11 no longer work since 01.11.2021 and that the cause for this is a certificate that expired on 31.10.2021. In the meantime Microsoft has pointed out in a blogpost and also a patch for some affected components published.

Unfortunately, none of the available sources provided detailed information about what exactly the problem was. So let's get to the bottom of it ourselves.

Continue reading „Ursachenforschung: Snipping Tool und weitere Komponenten in Windows 11 wegen abgelaufenem Zertifikat nicht mehr benutzbar“

Code signatures of Appx packages via SignTool.exe fail with error code 0x8007000b (ERROR_BAD_FORMAT)

Assume the following scenario:

  • An Appx package is to be signed.
  • For this purpose the SignTool.exe used.
  • The code signing certificate used was recently renewed.
  • The signing process with the new code signing certificate fails with the following error message:
"Error: SignerSign() failed." (-2147024885/0x8007000b) 
Continue reading „Codesignaturen von Appx Paketen per SignTool.exe schlagen fehl mit Fehlercode 0x8007000b (ERROR_BAD_FORMAT)“

SignTool installation without Windows Software Development Kit (SDK) installation

One way to perform code signatures is to use the SignTool command line tool. This is part of the Windows 10 Software Development Kit (SDK).

If you want to use the tool on a system without having to install Visual Studio or the Windows SDK, you can proceed as follows.

Continue reading „SignTool Installation ohne Installation des Windows Software Development Kit (SDK)“

Treatment of expired certificates when issuing certificate revocation lists

By default, the Microsoft Certification Authority removes the serial numbers of expired certificates from the revocation lists it issues.

However, there are some exceptions to this.

Continue reading „Behandlung abgelaufener Zertifikate bei der Ausstellung von Zertifikatsperrlisten“