Google Chrome reports error code "ERR_SSL_PROTOCOL_ERROR" when calling a web page

Assume the following scenario:

  • A web page is accessed using Google Chrome.
  • The connection setup fails with the following error message:
Diese Website kann keine sichere Verbindung bereitstellen
test.intra.adcslabor.de hat eine ungültige Antwort gesendet.
Versuchen Sie, die Windows-Netzwerkdiagnose auszuführen.
ERR_SSL_PROTOCOL_ERROR
Continue reading „Google Chrome meldet Fehlercode „ERR_SSL_PROTOCOL_ERROR“ beim Aufruf einer Webseite“

Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““

Basics of online responders (Online Certificate Status Protocol, OCSP)

Certificates usually have a "CRL Distribution Points" extension that tells an application where the certificate's associated Certificate Revocation List (CRL) can be found.

This is like a telephone directory: It contains all the serial numbers of certificates that have been recalled by the certification authority (and are still valid). Every application that checks the revocation status must download and evaluate the entire revocation list.

As the size increases, this procedure becomes increasingly inefficient. As a rule of thumb, 100,000 recalled certificates already correspond to approx. 5 MB file size for the revocation list.

The Online Certificate Status Protocol (OCSP) was developed for this purpose (under the leadership of ValiCert): It is similar to a directory assistance service where applications can request the revocation status for individual certificates, thus eliminating the need to download the entire CRL. OCSP is available in the RFC 6960 specified.

Continue reading „Grundlagen Onlineresponder (Online Certificate Status Protocol, OCSP)“

Overview of the setting options for blocking configurations of the online responder (OCSP).

If a blocking configuration is configured for an online responder, there are various setting options that are discussed below.

Continue reading „Übersicht über die Einstellungsmöglichkeiten für Sperrkonfigurationen des Onlineresponders (OCSP)“

The online responder (OCSP) reports "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE".

Assume the following scenario:

  • An online responder (OCSP) is configured on the network.
  • OCSP is enabled for a certificate authority and a revocation configuration is set up.
  • The management console for the online responder displays the following status for the revocation configuration:
Type: Microsoft CRL-based revocation status provider
The revocation provider failed with the current configuration. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE), 0x80092013
Continue reading „Der Onlineresponder (OCSP) meldet „The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE““

The online responder (OCSP) reports "The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND)".

Assume the following scenario:

  • An online responder (OCSP) is configured on the network.
  • OCSP is enabled for a certificate authority and a revocation configuration is set up.
  • The management console for the online responder displays the following status for the revocation configuration:
Type: Microsoft CRL-based revocation status provider
The revocation provider failed with the current configuration. The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND), 0x800710d8
Continue reading „Der Onlineresponder (OCSP) meldet „The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND)““

Revocation of an issued certificate fails with error message "The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)".

Assume the following scenario:

  • A certificate is revoked via the command line (certutil -revoke).
  • The operation fails with the following error message:
ICertAdmin::RevokeCertificate: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
Continue reading „Der Widerruf eines ausgestellten Zertifikats schlägt fehl mit Fehlermeldung „The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)““

Treatment of expired certificates when issuing certificate revocation lists

By default, the Microsoft Certification Authority removes the serial numbers of expired certificates from the revocation lists it issues.

However, there are some exceptions to this.

Continue reading „Behandlung abgelaufener Zertifikate bei der Ausstellung von Zertifikatsperrlisten“

List of use cases for certificates that require specific Cryptographic Service Providers (CSP) or Key Storage Providers (KSP).

Windows Server 2008, along with NSA Suite B algorithms (also known as Cryptography Next Generation, CNG) with Key Storage Providers, introduced a new, modern interface for generating, storing, and using private keys in the Windows ecosystem.

In most cases, it does not matter which CSP or KSP is used for certificates. However, some applications will not work or will not work correctly if the wrong provider is chosen.

Below is a list of use cases I know of for certificates that only work with a specific Cryptographic Service Provider (CSP) or Key Storage Provider (KSP).

Continue reading „Liste der Use Cases für Zertifikate, die bestimmte Cryptographic Service Provider (CSP) oder Key Storage Provider (KSP) benötigen“

The certification authority service does not start and throws the error message "The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

  • A certification authority is installed.
  • The installation is successful, but the Certificate Authority service does not start after the installation.
  • When trying to start the Certificate Authority service from the Certificate Authority Management Console, you receive the following error message:
The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
The policy module for a CA is missing or incorrectly registered. To view or change policy module settings, right-click on the CA, click Properties, and then click the Policy Module tab.
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)““

Inspect TLS traffic with Wireshark (decrypt HTTPS)

When troubleshooting, it can be very helpful to view encrypted SSL connections in order to inspect the messages within. There is a relatively simple way to do this with Wireshark.

Continue reading „TLS-Datenverkehr mit Wireshark inspizieren (HTTPS entschlüsseln)“

HTTP error code 403 when logging on to Internet Information Services (IIS) using client certificate after renewing web server certificate

Assume the following scenario:

  • A user or application accesses a web page or web application running on an Internet Information Services (IIS) web server.
  • The web server is configured to request a client certificate for the requested resource.
  • Although there is a valid client certificate on the client, the error code 403 Forbidden is returned immediately. The user is not prompted (when calling the page with a browser) to select a certificate.
  • The web server certificate was recently renewed and the IIS SSL binding was configured accordingly via the IIS Manager.
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „HTTP Fehlercode 403 bei Anmeldung mittels Client-Zertifikat an Internet Information Services (IIS) nach Erneuerung des Webserver-Zertifikats“

Certificate request fails with error message "The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)".

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)
Denied by Policy Module
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)““

Microsoft Outlook: Find out recipient certificates for S/MIME encrypted mails

For troubleshooting e-mail messages encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME), the encrypted part of a message can be exported. See article "Microsoft Outlook: Extracting an encrypted S/MIME message from an email„.

To find out with which certificates a message has been encrypted, you can proceed as follows...

Continue reading „Microsoft Outlook: Empfänger-Zertifikate bei S/MIME verschlüsselten Mails herausfinden“

Microsoft Outlook: Extracting an encrypted S/MIME message from an email

The encrypted part of an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME) is always contained in a file called "smime.p7m" as an attachment to the mail.

Outlook does not display this attachment, but it can be analyzed using the free Microsoft MFCMAPI extracted from the e-mail.

Continue reading „Microsoft Outlook: Extrahieren einer verschlüsselten S/MIME Nachricht aus einer E-Mail“
en_USEnglish
de_DEDeutsch en_USEnglish