| Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
| Event ID: | 85 (0x825A0055) |
| Event log: | Application |
| Event type: | Warning |
| Event text (English): | Certificate enrollment for %1 for the %2 template could not perform attestation due to an error with the cryptographic hardware using the provider: %3. Request Id: %4.%5 |
| Event text (German): | From the certificate registration for "%1" for the %2 template, no verification could be performed due to an error with the cryptography hardware with the provider %3. Request ID: %4.%5 |
Tag: TPM Key Attestation
Configuring the Trusted Platform Module (TPM) Key Attestation
Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.
However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.
However, the configuration in the certificate template is only a default setting for the client. The certification authority will, when requesting do not explicitly check whether a Trusted Platform Module was really used.
To ensure that the private key of a certificate request has really been protected with a Trusted Platform Module, only the TPM Key Attestation remains.
Continue reading „Konfigurieren der Trusted Platform Module (TPM) Key Attestation“Include the issuance policies for Trusted Platform (TPM) Key Attestation in a certification authority certificate.
If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate does not contain an issuance policy.
If you want to include the issuance policies for Trusted Platform (TPM) Key Attestation in the certification authority certificate, you must proceed as follows.
Continue reading „Die Ausstellungsrichtlinien (Issuance Policies) für Trusted Platform (TPM) Key Attestation in ein Zertifizierungsstellen-Zertifikat aufnehmen“Determine and export a Trusted Platform Module (TPM) Endorsement Certificate
If you want to use the Trusted Platform Module (TPM) key attestation, you have the option of attesting the TPM via the endorsement certificate (EkCert), among other things. The following describes how to obtain this information.
Continue reading „Ermitteln und Exportieren eines Trusted Platform Module (TPM) Endorsement Zertifikats“Determine the checksum (hash) of a Trusted Platform (TPM) Endorsement Key
If you want to use the Trusted Platform Module (TPM) key attestation, you have the option of attesting the TPM via the endorsement key (EkPub), among other things. The following describes how to obtain this information.
Continue reading „Die Prüfsumme (Hash) eines Trusted Platform (TPM) Endorsement Key ermitteln“Frequently Used Extended Key Usages and Issuance Policies
The following is a list of commonly used extended key usage and issuance policies that are used repeatedly in practice to restrict certificate authority certificates.
Continue reading „Häufig verwendete erweiterte Schlüsselverwendungen (Extended Key Usages) und Ausstellungsrichtlinien (Issuance Policies)“
English 
Deutsch