Windows operating system - Uwe Gradenegger

List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known

As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.

Below is a list of use cases for which I am aware of compatibility.

It's time: Migrating the PKI components from Windows Server 2012 to a new operating system

At the turn of the year, a note to all operators of a Microsoft Certification Authority and connected services:

The End of product support from Microsoft for Windows Server 2012 and 2012 R2 is slowly approaching, it is the October 10, 2023.

Thus, it is time to prepare for the move to a new operating system.

Cause research: Snipping Tool and other components in Windows 11 no longer usable due to expired certificate

Today went through many Mediathat some apps and components in the recently released Windows 11 no longer work since 01.11.2021 and that the cause for this is a certificate that expired on 31.10.2021. In the meantime Microsoft has pointed out in a blogpost and also a patch for some affected components published.

Unfortunately, none of the available sources provided detailed information about what exactly the problem was. So let's get to the bottom of it ourselves.

Limits of Microsoft Active Directory Certificate Services

Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.

People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.

What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.

SignTool installation without Windows Software Development Kit (SDK) installation

One way to perform code signatures is to use the SignTool command line tool. This is part of the Windows 10 Software Development Kit (SDK).

If you want to use the tool on a system without having to install Visual Studio or the Windows SDK, you can proceed as follows.

What to consider when applying Microsoft Security Baselines?

In the context of hardening measures, it is a good idea to use the Microsoft published Microsoft Security Baselines to your own server landscape.

This will inevitably have an impact on PKI components. The following is an overview of the expected effects and countermeasures.

In-Place Upgrade of a Certification Authority from Windows Server 2012 R2 or 2016 to Windows Server 2019

At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.

In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016

In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2008 R2

In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012

In-Place Upgrade of a Certification Authority from Windows Server 2008 R2 to Windows Server 2012 R2

Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system

Assume the following scenario:

An in-place upgrade of the certification authority's operating system is performed.
After the upgrade I can no longer log in via Remote Desktop. The connection fails with the following error message:

An authentication error has occurred.
The function requested is not supported.
Remote Computer: 192.168.1.149
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

In German:

Authentication error.
The requested function is not supported.
Remote computer: 192.168.1.149
The cause could be a CredSSP Encryption Oracle defense.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

The SMTP Exit module does not work on Windows Server Core

Assume the following scenario:

A certificate authority is installed on Windows Server Core.
The SMTP file supplied with the certification authority is used. Exit module configured.
However, the Certification Authority does not send e-mails.
In the event log, the Event no. 46 logged with the following error message:

The "Windows default" Exit Module "Initialize" method returned an error. Class not registered The returned status code is 0x80040154 (-2147221164). The Certification Authority was unable to initialize email messaging objects.

End of product support by the manufacturer (Microsoft)

Each Windows Server operating system has a defined end date after which there is no longer any product support from the manufacturer. Certification authorities are also bound to this date, and should therefore be migrated before this date expires.