The capolicy.inf contains basic settings that can or should be specified before installing a certificate authority. In simple terms, it can be said that no certificate authority should be installed without it.
Continue reading „Grundlagen: Konfigurationsdatei für die Zertifizierungsstelle (capolicy.inf)“Certificate request fails with error message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)."
Assume the following scenario:
- An attempt is made to request a certificate from a certificate authority (Enterprise CA) integrated into Active Directory for a user or computer.
- The certificate request fails with the following error message:
The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE).Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE).““
Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Your digital ID name cannot be found by the underlying security system" appears.
Assume the following scenario:
- A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
- The message cannot be opened.
- When opening the message, the following error message is displayed:
Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your digital ID name cannot be found by the underlying security system.Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Your digital ID name cannot be found by the underlying security system.““
Microsoft Outlook: Correctly signed e-mails (S/MIME) are displayed as invalid after the signature certificate expires
Assume the following scenario:
- A user has received an email message in the past.
- The message was signed with an S/MIME certificate.
- The sender's signature certificate was issued by a certification authority that has been granted trust status with the recipient.
- Thus, the signature was recognized as valid at the time the message was received.
- The user opens the mail again some time later and finds that the signature is classified as invalid.
Basics: Enroll on Behalf of (EOBO)
The following is a description of the Enroll on Behalf Of function and how it differs from other methods of applying for certificates.
Continue reading „Grundlagen: Enroll on Behalf of (EOBO)“Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester."
- A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
- One uses here the Enroll on Behalf of (EOBO) Mechanism.
- The certificate request fails with the following error message:
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.““
Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"
- A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
- One uses here the Enroll on Behalf of (EOBO) Mechanism.
- The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““
Requesting certificates via Enroll on Behalf of (EOBO) is not possible because the certificate template is not displayed. The error message is "The certificate template requires too many RA signatures."
Assume the following scenario:
- A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
- One uses here the Enroll on Behalf of (EOBO) Mechanism.
- The desired certificate template is not displayed.
- If you check the "Show all templates" checkbox, the following error message will be displayed for the desired certificate template:
The certificate template requires too many RA signatures. Only one RA signature is allowed. Multiple request agent signatures are not permitted on a certificate request.Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „The certificate template requires too many RA signatures.““
Basics: Path Length Constraint
The attack on the MD5 signature algorithm demonstrated in late 2008 could only be used to create a usable forged certification authority certificate because the attacked certification authority had not configured any path length restriction.
The limitation of the path length is defined in the RFC 5280 described. The idea behind this is that the maximum depth of the certification authority hierarchy is stored in the "Basic Constraints" extension of a certification authority certificate.
Continue reading „Grundlagen: Einschränkung der Pfadlänge (Path Length Constraint)“Create an exit module for the certification authority in C#
The Microsoft Certification Authority offers the possibility to create your own Policy and exit modules to develop to extend the functionality of the Certification Authority.
Below are the steps necessary to create an exit module in C# using Visual Studio 2019. The exit module will write issued certificates to a configurable directory in the file system.
Continue reading „Ein Exit Modul für die Zertifizierungsstelle in C# erstellen“Configuring the Trusted Platform Module (TPM) Key Attestation
Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.
However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.
However, the configuration in the certificate template is only a default setting for the client. The certification authority will, when requesting do not explicitly check whether a Trusted Platform Module was really used.
To ensure that the private key of a certificate request has really been protected with a Trusted Platform Module, only the TPM Key Attestation remains.
Continue reading „Konfigurieren der Trusted Platform Module (TPM) Key Attestation“Manually requesting a web server certificate
There are cases in which you cannot or do not want to obtain web server certificates directly from a certification authority in your own Active Directory forest via the Microsoft Management Console, for example if the system in question is not a domain member.
In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).
Continue reading „Manuelle Beantragung eines Webserver-Zertifikats“Details of the event with ID 4 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
| Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
| Event ID: | 4 (0x425A0004) |
| Event log: | Application |
| Event type: | Information |
| Event text (English): | Certificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed. |
| Event text (German): | Certificate enrollment for %1 could not access local resources or retrieve certificate template information for %2 (%3). No registration is performed. |
Details of the event with ID 13 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
| Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
| Event ID: | 13 (0xC25A000D) |
| Event log: | Application |
| Event type: | Error |
| Event text (English): | Certificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5). |
| Event text (German): | The certificate enrollment for %1 failed to enroll for a certificate %2 with request ID %4 of %3 (%5). |
Details of the event with ID 57 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
| Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
| Event ID: | 57 (0x825A0039) |
| Event log: | Application |
| Event type: | Information, Warning and Error |
| Event text (English): | The "%2" provider was not loaded because initialization failed. |
| Event text (German): | The "%2" provider was not loaded due to an initialization error. |
English 
Deutsch