If one installs a Network Device Enrollment Service (NDES), one is faced with the question under which identity the IIS application pool should be operated. In the following, the individual options are examined in more detail in order to facilitate a selection.
Continue reading „Auswahl der Identität für den IIS Anwendungspool des Registrierungsdienstes für Netzwerkgeräte (NDES)“About the "Build this from Active Directory information" option for certificate templates
When configuring a certificate template, one must decide on the intended certificate content, i.e., among other things, which identities are confirmed by the certificates and how they are mapped.
In the "Subject Name" tab of the certificate template configuration dialog, you can configure how the identity confirmed by the certificate is mapped.
Continue reading „Zur Option „Build this from Active Directory information“ bei Zertifikatvorlagen“Verification of the domain controller certificates throws the error code ERROR_ACCESS_DENIED
Assume the following scenario:
- With certutil a verification of the domain controller certificates is performed.
- The operation fails with the following error message:
0: DC01 *** Testing DC[0]: DC01 Enterprise Root store: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) KDC certificates: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) CertUtil: -DCInfo command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) CertUtil: Access is denied.Continue reading „Die Überprüfung der Domänencontroller-Zertifikate wirft den Fehlercode ERROR_ACCESS_DENIED“
Basics: Automatic Certificate Management Environment (ACME)
The ACME protocol was developed by the operators of the project Let's Encrypt designed to support the exhibition of Web server certificates to automate. It is specified in RFC 8555.
The goal is to make the process of proving ownership of the DNS resource (IP addresses cannot currently be identified, but this is planned in the future), but not of the person or organization behind it, in order to subsequently be able to obtain a web server certificate without human interaction.
Continue reading „Grundlagen: Automatic Certificate Management Environment (ACME)“Basics: Name Constraints
Name restrictions are a part of the X.509 standard and in the RFC 5280 described. They are a tool that can be used within the qualified subordination can be used to control the validity range of a certification authority certificate in a fine-grained manner.
Continue reading „Grundlagen: Namenseinschränkungen (Name Constraints)“It's time: Migrating the PKI components from Windows Server 2012 to a new operating system
At the turn of the year, a note to all operators of a Microsoft Certification Authority and connected services:
The End of product support from Microsoft for Windows Server 2012 and 2012 R2 is slowly approaching, it is the October 10, 2023.
Thus, it is time to prepare for the move to a new operating system.
Continue reading „Es wird Zeit: Migrieren der PKI Komponenten von Windows Server 2012 auf ein neues Betriebssystem“Requesting certificates with elliptic curve based keys fails when using Microsoft Platform Crypto Provider
Assume the following scenario:
- A certificate template is configured to elliptic curves based keys to be used.
- In addition, the certificate template is configured to use the Microsoft Platform Crypto Provider to use the private key with the Trusted Platform Module (TPM) of the device.
- The certificate request fails with the following error message:
Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
On Windows Server 2016, the error message "No provider was specified for the store or object. 0x80092006 (-2146885626 CRYPT_E_NO_PROVIDER)" is issued with otherwise identical behavior.
Continue reading „Die Beantragung von Zertifikaten mit auf elliptischen Kurven basierenden Schlüsseln schlägt fehl, wenn der Microsoft Platform Crypto Provider verwendet wird“Basics: Elliptic curves with regard to their use in the public key infrastructure
With Windows Vista and Windows Server 2008, the Cryptography API: Next Generation (CNG) was introduced into the Windows systems.
This term refers to a collection of modern cryptographic functions. Among other things, the CNG enables the use of certificates that use keys based on elliptic curves (also called Elliptic Curve Cryptography, ECC) with the Microsoft Certification Authority and the Windows operating system.
Continue reading „Grundlagen: Elliptische Kurven in Hinsicht auf ihre Verwendung in der Public Key Infrastruktur“Microsoft Outlook: Signed e-mail messages are rejected by the receiving mail server with error message "Invalid S/MIME encrypted message."
Assume the following scenario:
- A user sends an e-mail message signed with Secure/Multipurpose Internet Mail Extensions (S/MIME).
- The sender uses Microsoft Outlook for Macintosh.
- The receiving mail server rejects the message and sends back a Non-Delivery Report (NDR):
550 5.6.0 M2MCVT.StorageError.Exception: ConversionFailedException - , Content conversion: Invalid S/MIME encrypted message.; storage error in content conversion.Continue reading „Microsoft Outlook: Signierte E-Mail Nachrichten werden vom empfangenden Mailserver abgelehnt mit Fehlermeldung „Invalid S/MIME encrypted message.““
What happens if a user has requested multiple certificates?
I recently encountered the phenomenon that due to a faulty request logic, several users had made new certificate requests at regular intervals.
The certificate template was configured to have incoming certificate requests released by a certificate manager, i.e. the certificates were not issued automatically. The certificate requests were to be checked by a separate code and then released.
One would now expect that (since all certificate requests would eventually be approved) users would now find multiple certificates of the same type in their certificate store (and the applications that use it). However, this was not the case.
Continue reading „Was passiert, wenn ein Benutzer mehrere Zertifikate beantragt hat?“It is not possible to create a certificate template. Error message "The following template name has already been used".
Assume the following scenario:
- A new certificate template is to be created.
- The creation fails with the following error message:
The following template name has already been used: ADCSLaboratoryUserTest. Enter a unique template name.Continue reading „Die Erzeugung einer Zertifikatvorlage ist nicht möglich. Fehlermeldung „The following template name has already been used““
Operating the Certification Authority without exit module
If a certification authority is installed, the "Windows Default" exit module is automatically activated. This enables e-mail messages to be sent when certain events occur at the certification authority. However, most companies do not use this feature at all.
But even if the exit module is not used at all, it causes sessions on the certification authority database (see Event no. 46). On Certification Authorities with high load this can be problematic.
If the functions it offers are not used at all (under Windows Server Core the "Windows Default" exit module basically does not work), it can also be disabled completely.
Continue reading „Betreiben der Zertifizierungsstelle ohne Exit Modul“Cause research: Snipping Tool and other components in Windows 11 no longer usable due to expired certificate
Today went through many Mediathat some apps and components in the recently released Windows 11 no longer work since 01.11.2021 and that the cause for this is a certificate that expired on 31.10.2021. In the meantime Microsoft has pointed out in a blogpost and also a patch for some affected components published.
Unfortunately, none of the available sources provided detailed information about what exactly the problem was. So let's get to the bottom of it ourselves.
Continue reading „Ursachenforschung: Snipping Tool und weitere Komponenten in Windows 11 wegen abgelaufenem Zertifikat nicht mehr benutzbar“The database schema of the Certification Authority database
Would you like to Queries against the Certification Authority database formulate, you must first know what you want to look for.
There is a possibility to output the database schema of the certification authority database.
Continue reading „Das Datenbankschema der Zertifizierungsstellen-Datenbank“Limits of Microsoft Active Directory Certificate Services
Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.
People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.
What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.
Continue reading „Grenzen der Microsoft Active Directory Certificate Services“
English 
Deutsch