The following section examines how the revocation status check behaves if the online responder should fail. Depending on the configuration of the certificates issued, the behavior can vary considerably.
Continue reading „Auswirkungen des Ausfalls des Onlineresponders (OCSP) auf die Überprüfung des Sperrstatus eines Zertifikats“How is the serial number of a certificate formed?
The following is an explanation of how the serial numbers of issued certificates are formed and how the behavior of the certification authorities can be customized.
Performing a functional test for the network device registration service (NDES)
After installing a Network Device Enrollment Service (NDES), or after more extensive maintenance, an extensive functional test should be performed to ensure that all components are operating as desired.
Continue reading „Funktionstest durchführen für den Registrierungsdienst für Netzwerkgeräte (NDES)“Configuring the Network Device Enrollment Service (NDES) for use with an alias.
The following describes the steps required to configure the Network Device Enrollment Service (NDES) for use with an alias.
The term alias means that the service is not called with the name of the server on which it is installed, but with a generic name independent of this name. The use of an alias allows the service to be moved to another system at a later time without having to inform all participants of the new address.
Continue reading „Den Network Device Enrollment Service (NDES) für die Verwendung mit einem Alias konfigurieren“Configuring the certificate authority to a static port (RPC endpoint)
In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 135 | RPC Endpoint Mapper |
| TCP | 49152-65535 | RPC dynamic ports |
This configuration is not feasible in every enterprise environment. Often there are restrictive firewall rules that do not allow the use of dynamic network ports.
In such a case, the certificate authority must be configured to a static port.
Continue reading „Konfigurieren der Zertifizierungsstelle auf einen statischen Port (RPC-Endpunkt)“Querying the configured RPC endpoints of a certification authority
In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).
However, it is also possible to configure the certificate authority to a static port (see article "Configuring the certificate authority to a static port (RPC endpoint)„).
The following describes how to check the current configuration of the certification authority.
Continue reading „Abfrage der konfigurierten RPC-Endpunkte einer Zertifizierungsstelle“Classification of ADCS components in the Administrative Tiering Model
If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.
Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“Manually assigning a Remote Desktop (RDP) certificate
Was a Remote desktop certificate requested manuallyit must then be assigned to the Remote Desktop session host.
Continue reading „Manuelles Zuweisen eines Remotedesktop (RDP) Zertifikats“Manually requesting a Remote Desktop (RDP) certificate
There are cases in which you cannot or do not want to obtain Remote Desktop certificates from a certificate authority in your own Active Directory forest, for example, if the system in question is not a domain member.
In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).
Continue reading „Manuelle Beantragung eines Remotedesktop (RDP) Zertifikats“Creation of a manual certificate request fails with error message "Expected INF file section name 0xe0000000".
Assume the following scenario:
- An information file for a manual certificate request is created.
- Creating the certificate request using the file fails with the following error message:
Expected INF file section name 0xe0000000 (INF: -536870912)Continue reading „Die Erstellung einer manuellen Zertifikatanforderung schlägt fehl mit Fehlermeldung „Expected INF file section name 0xe0000000““
Send a manually created certificate request to a certification authority
If a certificate request exists, for example after manual generation, in the form of a text file (usually with the extension .CSR or .REQ), it can be sent to the certification authority using on-board means.
Continue reading „Eine manuell erstellte Zertifikatanforderung an eine Zertifizierungsstelle senden“Certificate Enrollment Web Service (CES) request fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".
Assume the following scenario:
- A Certificate Enrollment Web Service (CES) is implemented in the network.
- A certificate request is sent to the CES.
- The certificate request fails with the following error message:
A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_ENDPOINT_FAULT_RECEIVED““
Chrome and Safari limit SSL certificates to one year validity
Apple recently announced that the Safari browser will only accept certificates with a validity of 398 days in the future, provided they were issued from September 1, 2020.
Mozilla and Google want to implement comparable behavior in their browsers. So the question is whether this change will have an impact on internal certificate authorities - i.e. whether in future internal SSL certificates will also have to follow these rules, as is the case, for example, with the enforcement of the RFC 2818 by Google was the case.
Continue reading „Chrome und Safari limitieren SSL Zertifikate auf ein Jahr Gültigkeit“Literature and other resources about public key infrastructures and Active Directory Certificate Services
The following is an overview of literature available on the market on the subject of public key infrastructures and Active Directory Certificate Services, as well as online resources from Microsoft and other PKI specialists.
Continue reading „Literatur und weitere Ressourcen über Public Key Infrastrukturen und Active Directory Certificate Services“Performance problems with auditing of "Start and stop Active Directory Certificate Services".
When configuring the auditing settings of a certificate authority, one is inclined to select the "Start and Stop Active Directory Certificate Services" option. However, this option may cause problems in some circumstances.
Continue reading „Performanceprobleme bei Auditierung von „Start and stop Active Directory Certificate Services““
English 
Deutsch