What happens if a user has requested multiple certificates?

I recently encountered the phenomenon that due to a faulty request logic, several users had made new certificate requests at regular intervals.

The certificate template was configured to have incoming certificate requests released by a certificate manager, i.e. the certificates were not issued automatically. The certificate requests were to be checked by a separate code and then released.

One would now expect that (since all certificate requests would eventually be approved) users would now find multiple certificates of the same type in their certificate store (and the applications that use it). However, this was not the case.

Continue reading „Was passiert, wenn ein Benutzer mehrere Zertifikate beantragt hat?“

Basics: Replacing (Superseding) Certificate Templates

With the introduction of version 2 certificate templates along with Windows XP and Windows Server 2003, the option was introduced for a certificate template to replace one or more others.

This makes it possible to replace issued certificates with those of another certificate template, or to consolidate multiple certificate templates into a single one.

Continue reading „Grundlagen: Ersetzen (Superseding) von Zertifikatvorlagen“

Remote desktop certificate request fails with error message "The permissions on the certificate template do not allow the current user to enroll for this type of certificate."

Assume the following scenario:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Continue reading „Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The permissions on the certificate template do not allow the current user to enroll for this type of certificate.““

Remote desktop certificate request fails with error message "The requested certificate template is not supported by this CA."

Assume the following scenario:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.
Continue reading „Die Beantragung von Remotedesktop-Zertifikaten schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA.““

The local certificate store for trusted root certificate authorities is not synchronized from Active Directory

Assume the following scenario:

  • A certification authority hierarchy is established in the network and the root certification authority is mapped in the configuration partition of the Active Directory forest.
  • Domain members are configured to run the autoenrollment process to update trusted root certificate authorities from the Configuration partition.
  • However, this process does not work for some clients. The root CA certificates are not automatically downloaded and entered into the local trust store.
  • As a consequence certificate requests can failbecause, for example, the certification authority hierarchy is not trusted.
Continue reading „Der lokale Zertifikatspeicher für vertrauenswürdige Stammzertifizierungsstellen wird nicht aus dem Active Directory synchronisiert“

Certificate requests for the online responder (OCSP) fail sporadically with error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)"

Assume the following scenario:

  • An online responder (OCSP) is set up in the network.
  • The certification authorities report at irregular intervals that certificate requests for the OCSP password signing certificates fail with the following error message:
The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).
Continue reading „Zertifikatanforderungen für den Onlineresponder (OCSP) schlagen sporadisch fehl mit Fehlermeldung „The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)““

Programmatically trigger the autoenrollment process for the logged-in user

Assume the following scenario:

  • You write a script or an application that should trigger the autoenrollment process for the currently logged in user.
  • You will find out that the scheduled task cannot be executed.
  • The error message reads:
The user account does not have permissions to run this task.
Continue reading „Den Autoenrollment Prozess für den angemeldeten Benutzer programmatisch auslösen“

Enable logging for automatic certificate request (autoenrollment)

The following is an overview of the Windows Event Viewer events generated for Windows certificate clients, their activation, and their identification.

Continue reading „Protokollierung für die automatische Zertifikatbeantragung (Autoenrollment) aktivieren“

Troubleshooting for automatic certificate request (autoenrollment) via RPC/DCOM

Assume the following scenario:

  • A certificate template is configured for automatic certificate request (autoenrollment).
  • The certificate template is published on a certification authority (Enterprise Certification Authority) integrated into Active Directory.
  • However, the users or computers configured for automatic Certificate Enrollment do not apply for certificates as intended.

The following is a troubleshooting guide.

Continue reading „Fehlersuche für die automatische Zertifikatbeantragung (Autoenrollment) via RPC/DCOM“

Details of the event with ID 95 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:95 (0x425A005F)
Event log:Application
Event type:Information
Event text (English):Successfully installed Logon Certificate for %1 Request thumbprint: %2 Thumbprint: %3 Process: %4
Event text (German):The logon certificate for %1 was successfully installed. Request fingerprint: %2 Fingerprint: %3 Process: %4
Continue reading „Details zum Ereignis mit ID 95 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 94 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:94 (0xC25A005E)
Event log:Application
Event type:Error
Event text (English):Failed to install Logon Certificate for %1 failed Request thumbprint: %2 Thumbprint: %3 %4 Process: %5 %6
Event text (German):Error installing logon certificate for %1 Request fingerprint: %2 Fingerprint: %3 %4 Process: %5 %6
Continue reading „Details zum Ereignis mit ID 94 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 96 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:96 (0xC25A0060)
Event log:Application
Event type:Error
Event text (English):Failed to remove Logon Certificate request for %1 Request thumbprint: %2 Process: %3 %4
Event text (German):Error removing logon certificate request for %1 Request fingerprint: %2 Process: %3 %4
Continue reading „Details zum Ereignis mit ID 96 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 98 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:98 (0xC25A0062)
Event log:Application
Event type:Error
Event text (English):Failed to import PFX Certificate for %1 Flags: %2 Provider: %3 Container: %4 Process: %5 %6
Event text (German):Error importing PFX certificate for %1 Flags: %2 Provider: %3 Container: %4 Process: %5 %6
Continue reading „Details zum Ereignis mit ID 98 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 93 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:93 (0x425A005D)
Event log:Application
Event type:Information
Event text (English):Logon Certificate Request creation for %1 succeeded for the %2 template for key %3 Request thumbprint: %4 Process: %5
Event text (German):The logon certificate request for %1 for the %2 template for key %3 was successfully created. Request fingerprint: %4 Process: %5
Continue reading „Details zum Ereignis mit ID 93 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 97 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:97 (0x825A0061)
Event log:Application
Event type:Warning
Event text (English):Successfully removed Logon Certificate request for %1 Request thumbprint: %2 Process: %3
Event text (German):The logon certificate request for %1 was successfully removed. Request fingerprint: %2 Process: %3
Continue reading „Details zum Ereignis mit ID 97 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“
en_USEnglish