| Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
| Event ID: | 82 (0x825A0052) |
| Event log: | Application |
| Event type: | Warning |
| Event text (English): | Certificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3 |
| Event text (German): | Certificate registration error for %1 when authenticating for all URLs for the registration server associated with the following policy ID: %2 (%4). Error registering for template: %3 |
Certificate request fails with error message "A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"
Assume the following scenario:
- A certificate is requested from a certification authority.
- The certificate is successfully issued by the Certification Authority.
- However, when installing the certificate on the target system, the following error message occurs:
A certificate issued by the certification authority cannot be installed. Contact your administrator. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““
Requesting a certificate protected by a Trusted Platform Module (TPM) - without owning a TPM
Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.
However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.
However, the configuration in the certificate template is merely a default setting for the client. The certification authority will not explicitly check whether a trusted platform module has actually been used when a request is made.
Thus - if the certificate request is done away from the MMC - arbitrary parameters can be used for the private key.
Continue reading „Beantragen eines durch ein Trusted Platform Modul (TPM) geschütztes Zertifikat – ohne ein TPM zu besitzen“Requesting a certificate is not possible because the certificate template is not displayed. The error message is "Can not find a valid CSP in the local machine."
Assume the following scenario:
- A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
- Autoenrollment does not request a certificate from the desired certificate template, although it is enabled and the permissions are set accordingly.
- The desired certificate template is not displayed when applying manually via the Microsoft Management Console (MMC). If the "Show all templates" check box is selected, the following error message is displayed for the desired certificate template:
Cannot find object or property. Can not find a valid CSP in the local machine.Continue reading „Die Beantragung eines Zertifikats ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „Can not find a valid CSP in the local machine.““
Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).
Since Windows 8, it has been possible for private keys for certificates to be protected with a - if available - Trusted Platform Module (TPM). This ensures that the key is truly non-exportable.
The process for setting up a certificate template that uses a Trusted Platform module is described below.
Continue reading „Konfigurieren einer Zertifikatvorlage für die Verwendung des Microsoft Platform Crypto Provider, um Schutz des privaten Schlüssels durch ein Trusted Platform Module (TPM) zu ermöglichen“Requesting a Trusted Platform Module (TPM) protected certificate fails with error message "The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)"
Assume the following scenario:
- A certificate template is configured to use the Microsoft Platform Crypto Provider, so the private key generated when the certificate is requested is protected with a Trusted Platform Module (TPM).
- However, certificate request fails with the following error message:
An error occurred while enrolling for a certificate. A certificate request could not be created. Url: CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1 Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)Continue reading „Die Beantragung eines Trusted Platform Module (TPM) geschützten Zertifikats schägt fehl mit Fehlermeldung „The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)““
Google Chrome and Microsoft Edge do not check certificate revocation state
More and more companies are using the Google Chrome browser or the new Chromium-based Microsoft Edge (codename Anaheim) on.
When distributing one of these two browsers, it should be noted that they sometimes behave differently from other browsers in terms of certificates.
Besides the fact that Chromium, unlike Internet Explorer and the previous Edge (codename Spartan) the RFC 2818 enforces, it also behaves in the Checking blocking information different.
Continue reading „Google Chrome und Microsoft Edge prüfen Sperrstatus von Zertifikaten nicht“Signing certificates bypassing the certification authority
Time and again in discussions about the security of a certification authority, it comes up that abuse of the certification authority could be contained by its security settings.
However, the fact that the integrity of a certification authority is directly tied to its key material and can therefore also be compromised by it is not obvious at first glance.
one must think of the certification authority software as a kind of management around the key material. For example, the software provides a Online interface for Certificate Enrollment takes care of the authentication of the enrollees, the automated execution of signature operations (issuing certificates and Brevocation lists) and their logging (Certification Authority Database, Audit log, Event log).
However, signature operations require nothing more than the private key of the certification authority. The following example shows how an attacker, given access to the certification authority's private key, can generate and issue certificates without the certification authority software and its security mechanisms being aware of this.
With such a certificate, it would even be possible in the worst case, take over the Active Directory forest undetected.
Continue reading „Signieren von Zertifikaten unter Umgehung der Zertifizierungsstelle“Moving the certification authority database to another directory or drive
In the operation of a certification authority, one may find that it is necessary to subsequently change the storage path for the certification authority database. For example, one may want to move the database to another partition/drive.
Continue reading „Verschieben der Zertifizierungsstellen-Datenbank in ein anderes Verzeichnis oder auf ein anderes Laufwerk“Microsoft Outlook: View which algorithm was used for an S/MIME encrypted or signed email
Below is a description of where it is possible to view which symmetric algorithm was used to encrypt an email received, and which hash algorithm was used for a signed email.
Continue reading „Microsoft Outlook: Einsehen, welcher Algorithmus für eine S/MIME verschlüsselte oder signierte E-Mail verwendet wurde“Microsoft Outlook: Control the encryption algorithm used for S/MIME.
When S/MIME certificates are issued, they usually contain a certificate extension "S/MIME Capabilities". This certificate extension is specified in RFC 4262 and can be used by compatible e-mail programs to specify the symmetric algorithms supported by the recipient of an encrypted message. The sender should then choose the strongest algorithm supported by the recipient.
Microsoft Outlook uses (if available and required) the information in the "S/MIME Capabilities" extension of a certificate. Below is a description of how it is used and which algorithms are selected.
Continue reading „Microsoft Outlook: Den verwendeten Verschlüsselungsalgorithmus für S/MIME steuern“The "S/MIME Capabilities" certificate extension
When S/MIME certificates are issued, they usually contain a certificate extension "S/MIME Capabilities". This certificate extension is specified in RFC 4262 and can be used by compatible e-mail programs to specify the symmetric algorithms supported by the recipient of an encrypted message. The sender should then choose the strongest algorithm supported by the recipient.
Among other things, the Microsoft Outlook extension is evaluated and used to determine the symmetric algorithm for an encrypted email.
Continue reading „Die „S/MIME Capabilities“ Zertifikaterweiterung“Extend the "S/MIME Capabilities" certificate extension in issued certificates to include the Cryptography Next Generation (CNG) algorithms.
When S/MIME certificates are issued, they usually contain a certificate extension "S/MIME Capabilities". This certificate extension is specified in RFC 4262 and can be used by compatible e-mail programs to specify the symmetric algorithms supported by the recipient of an encrypted message. The sender should then choose the strongest algorithm supported by the recipient.
However, if you take a look at the symmetric algorithms included in such a certificate, you will probably find that the list contains rather outdated algorithms - the "strongest" of these algorithms is Triple DES (3DES), which is now considered obsolete.
Continue reading „Die „S/MIME Capabilities“ Zertifikaterweiterung in ausgestellten Zertifikaten um die Cryptography Next Generation (CNG) Algorithmen erweitern“Use SSH (PuTTY) on Windows with a certificate / smart card
Secure administration of Linux systems includes avoiding SSH logins by password and instead logging in with RSA keys.
The de facto standard for SSH connections on Windows is PuTTY. Here, logon with RSA keys is implemented, but only key files can be used, which has the disadvantage that they are almost unprotected in the file system.
Surely a great option would be to use RSA keys from the Windows world, and perhaps even stored on a physical or virtual smartcard.
Continue reading „SSH (PuTTY) auf Windows mit einem Zertifikat / einer Smartcard verwenden“When installing an Active Directory integrated certificate authority, the error message "Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)" appears.
Assume the following scenario:
- A certification authority (Enterprise Certification Authority) integrated into Active Directory is installed via Windows PowerShell.
- Delegated permissions are used to install the certificate authority. Thus, the installing user is not a member of the Enterprise Administrators group.
- After running the Role Configuration Wizard, one or more of the following error messages is displayed on the command line:
Setup could not add the Certification Authority's computer account to the Pre-Windows 2000 Compatible Access security group. Certificate managers Restrictions feature will not work correctly on this Certification Authority. To fix this, an administrator must manually add the Certification's Authority's computer account to the Pre-Windows 2000 Compatible Access security group in Active Directory. Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)
Warning: Setup could not add the certification authority’s computer account to the cert Publishers Security Group. This Certification Authority will not be able to publish certificates in Active Directory. To fix this, an administrator must manually add the Certification Authority’s computer account to the Cert Publishers security group in Active Directory. Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)Continue reading „Bei der Installation einer Active Directory integrierten Zertifizierungsstelle erscheint die Fehlermeldung „Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)““
English 
Deutsch