The "Application Policies" certificate extension

The purposes for which a digital certificate may be used are controlled via the certificate extensions "Key Usage" and "Enhanced Key Usage".

In the "Enhanced Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Continue reading „Die „Application Policies“ Zertifikaterweiterung“

New certificates are regularly requested via Autoenrollment

Assume the following scenario:

  • A certificate template is configured for automatic request and issuance (AutoEnrollment).
  • Users or computers apply for new certificates at regular intervals and long before the defined renewal period.
Continue reading „Es werden regelmäßig neue Zertifikate über Autoenrollment beantragt“

The "S/MIME Capabilities" certificate extension

When S/MIME certificates are issued, they usually contain a certificate extension "S/MIME Capabilities". This certificate extension is specified in RFC 4262 and can be used by compatible e-mail programs to specify the symmetric algorithms supported by the recipient of an encrypted message. The sender should then choose the strongest algorithm supported by the recipient.

Among other things, the Microsoft Outlook extension is evaluated and used to determine the symmetric algorithm for an encrypted email.

Continue reading „Die „S/MIME Capabilities“ Zertifikaterweiterung“

Removing ADCS-specific extensions from certificates

When using Active Directory Certificates, it is noticeable that there are certain extensions in the certificates of the certification authorities and the certificates they issue that are not defined in the relevant RFCs and are specific to AD CS.

Continue reading „Entfernen der ADCS-spezifischen Erweiterungen aus Zertifikaten“

The online responder (OCSP) requests new signature certificates every four hours

Assume the following scenario:

  • The online responders are configured to request signing certificates using a certificate template from an Active Directory integrated certificate authority.
  • The online responders apply for a new signature certificate at regular intervals (every four hours), even though the existing certificate is still valid for a sufficiently long time.
Continue reading „Der Onlineresponder (OCSP) beantragt alle vier Stunden neue Signaturzertifikate“