Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Continue reading „Funktionstest durchführen für eine Zertifizierungsstelle“

How secure is the "Allow private key to be exported" setting in the certificate templates?

PKI administrators often assume that the option in the certificate template to not allow the private key for export is mandatory.

Continue reading „Wie sicher ist die Einstellung „Allow private key to be exported“ in den Zertifikatvorlagen?“

Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: The remote endpoint is unable to process the request due to being overloaded. 0x803d0012 (-2143485934 WS_E_ENDPOINT_TOO_BUSY)".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • The connection to the CEP fails and the user receives the following error message:
Error: The remote endpoint is unable to process the request due to being overloaded. 0x803d0012 (-2143485934 WS_E_ENDPOINT_TOO_BUSY)
Continue reading „Die Beantragung eines Zertifikats über die Certificate Enrollment Web Services schlägt fehl mit Fehlermeldung „Error: The remote endpoint is unable to process the request due to being overloaded. 0x803d0012 (-2143485934 WS_E_ENDPOINT_TOO_BUSY)““

Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • Authentication is done via Kerberos.
  • The application for the certificate is made by the CEP server itself.
  • The connection to the CEP fails and the user receives the following error message:
Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Beantragung eines Zertifikats über die Certificate Enrollment Web Services schlägt fehl mit Fehlermeldung „Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)““

Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • The connection to the CEP fails and the user receives the following error message:
Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
Continue reading „Die Beantragung eines Zertifikats über die Certificate Enrollment Web Services schlägt fehl mit Fehlermeldung „Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)““

Requesting a certificate fails with the error message "The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).". When importing PFX files, the private key is missing.

Here's the scenario:

  • The import of a PFX file seems to be successful, but afterwards the private key is missing. A check with certutil ends with the error message "Missing stored keyset".
  • Requesting a certificate on a client fails with the following error message:
The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).“. Beim Import von PFX-Dateien fehlt der private Schlüssel.“

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

  • Requesting a certificate for a domain controller fails.
  • On the certification authority, the certificate request is logged in the failed requests. The error message reads:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats für Domänencontroller schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““

Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • However, the desired certificate template is not displayed for selection, even though it has been correctly published on the certification authority.
  • The logged-in user (or computer) also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • In the list of available certificate templates within the MMC, all certificate templates are displayed. At the desired certificate template is written:
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.““
en_USEnglish