Recently, together with the B-I-T GmbH Information and processes from Hanover worked on implementing the electronic data exchange with the statutory health insurance funds and the pension insurance from one application.
Here, a combination of authenticated data transmission of both signed and encrypted messages is used. PKI technologies are used in all these cases.
The message format used is here documented.
Continue reading „Elektronischer Datenaustausch mit der Deutschen Rentenversicherung“When troubleshooting, it can be very helpful to view encrypted SSL connections in order to inspect the messages within. There is a relatively simple way to do this with Wireshark.
Continue reading „TLS-Datenverkehr mit Wireshark inspizieren (HTTPS entschlüsseln)“Assume the following scenario:
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.Continue reading „HTTP Fehlercode 403 bei Anmeldung mittels Client-Zertifikat an Internet Information Services (IIS) nach Erneuerung des Webserver-Zertifikats“
There are cases in which you cannot or do not want to obtain web server certificates directly from a certification authority in your own Active Directory forest via the Microsoft Management Console, for example if the system in question is not a domain member.
In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).
Continue reading „Manuelle Beantragung eines Webserver-Zertifikats“With regard to the design of the infrastructure for providing revocation information - i.e. the CRL Distribution Points (CSP) as well as the Online Responders (Online Certificate Status Protocol, OCSP) - the question arises whether these should be "secured" via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
Continue reading „Verwenden von HTTP über Transport Layer Security (HTTPS) für die Sperrlistenverteilungspunkte (CDP) und den Onlineresponder (OCSP)“The Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco in the early 2000s. The first implementation was released with Windows Server 2003.
It may come as a surprise that NDES does not use Secure Socket Layer (SSL) for the HTTP connections in the default setting to this day. This fact is explained and evaluated in more detail below.
Continue reading „Sollte HTTPS für den Registrierungsdienst für Netzwerkgeräte (NDES) verwendet werden?“The following describes the steps required to configure the Network Device Enrollment Service (NDES) for use with an alias.
The term alias means that the service is not called with the name of the server on which it is installed, but with a generic name independent of this name. The use of an alias allows the service to be moved to another system at a later time without having to inform all participants of the new address.
Continue reading „Den Network Device Enrollment Service (NDES) für die Verwendung mit einem Alias konfigurieren“Apple recently announced that the Safari browser will only accept certificates with a validity of 398 days in the future, provided they were issued from September 1, 2020.
Mozilla and Google want to implement comparable behavior in their browsers. So the question is whether this change will have an impact on internal certificate authorities - i.e. whether in future internal SSL certificates will also have to follow these rules, as is the case, for example, with the enforcement of the RFC 2818 by Google was the case.
Continue reading „Chrome und Safari limitieren SSL Zertifikate auf ein Jahr Gültigkeit“Assume the following scenario:
You do not have permission to view this directory or page using the credentials that you supplied.Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit HTTP Fehlercode 403 „Forbidden: Access is denied.““
After installing and configuring Certificate Authority Web Enrollment (CAWE), it is essential to test the component extensively before releasing it to users. Below are instructions for a detailed functional test.
Continue reading „Funktionstest durchführen für die Zertifizierungsstellen-Webregistrierung (CAWE)“In the default configuration, Certificate Authority Web Enrollment (CAWE) accepts only unencrypted connections via HTTP. It is recommended that the CAWE be configured for HTTP over TLS (HTTPS) to make network traffic interception more difficult. Instructions are provided below.
Continue reading „Secure Sockets Layer (SSL) für die Zertifizierungsstellen-Webregistrierung (CAWE) aktivieren“Assume the following scenario:
Certificate Request Processor: The endpoint address URL is invalid. 0x803d0020 (-2143485920 WS_E_INVALID_ENDPOINT_URL)Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlercode „WS_E_INVALID_ENDPOINT_URL““
Assume the following scenario:
The certificate authority is invalid or corrupt. 0x80072f0d (WinHttp: 12045 ERROR_WINHTTP_SECURE_INVALID_CA)Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlercode „ERROR_WINHTTP_INVALID_CA““
Below is a guide to configuring a web server template with recommended settings.
Continue reading „Konfigurieren einer Secure Socket Layer (SSL) Zertifikatvorlage für Web Server“Often, before submitting a certificate request to a certification authority - or before issuing the certificate - you want to verify that it contains the desired values.
The following describes how to achieve this.
Continue reading „Eine Zertifikatanforderung (CSR) inspizieren“
English 
Deutsch