Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.

Continue reading „Veröffentlichen einer Zertifikatsperrliste (CRL) auf einem Active Directory Sperrlistenverteilungspunkt (CDP)“

Create and publish a certificate revocation list

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.

Continue reading „Erstellen und Veröffentlichen einer Zertifikatsperrliste“

Revoking an issued certificate

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

Continue reading „Widerrufen eines ausgestellten Zertifikats“

Required Windows security permissions for the Certificate Enrollment Web Service (CES)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact the CES components.

Continue reading „Benötigte Windows-Sicherheitsberechtigungen für den Zertifikatregistrierungs-Webdienst (CES)“

Configure the Certificate Enrollment Web Service (CES) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Den Certificate Enrollment Web Service (CES) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“

Planning of certificate validity and renewal period of end entity certificates with autoenrollment

If autoenrollment is used, participants apply for and renew certificates independently.

Regarding the validity of the certificates and the period for their automatic renewal, there are two values that can be configured in the General tab of a certificate template:

  • Validity period: Describes the overall validity of the issued certificate.
  • Renewal period: Describes from which time window, viewed backwards from the expiration date of the certificate, automatic renewal is attempted for the first time (e.g. 6 weeks before expiration).
Continue reading „Planung von Zertifikat-Gültigkeit und Erneuerungs-Zeitraum von End-Entitäts-Zertifikaten mit Autoenrollment“

Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)

Assume the following scenario:

  • Certificates for domain controllers are issued by an Active Directory integrated certificate authority (Enterprise CA)
  • The certificate template used for this purpose was created by the user
  • The issued certificates contain in the Subject Alternative Name (SAN) only the fully qualified computer name of the respective domain controller, but not the fully qualified name and the NETBIOS name of the domain
Continue reading „Zertifikate für Domänencontroller enthalten nicht den Domänennamen im Subject Alternative Name (SAN)“

Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".

Assume the following scenario:

  • A Certification Authority certificate is requested from a Certification Authority
  • The certificate request fails with the following error message:
The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)
Denied by Policy Module
Continue reading „Die Beantragung eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „The certification authority’s certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)““

Configure Path Length Constraint for Certificates Issued by a Certification Authority

For stronger control over the certificates that can be issued by a certification authority, a path length constraint can be set up so that certification authorities above a defined hierarchy level are no longer able to issue subordinate certification authority certificates

For an explanation of how the path length constraint works, see the article "Basics: Path Length Constraint"..

Continue reading „Einschränkung der Pfadlänge (Path Length Constraint) für von einer Zertifizierungsstelle ausgestellte Zertifikate konfigurieren“

Identify the active Remote Desktop (RDP) certificate

If one has a Remote Desktop Certificate Template and a appropriate group guidelines configured, or manually assigned a remote desktop certificateYou may want to verify that the certificates on the participating computers are being used correctly by the Remote Desktop session host.

Continue reading „Identifizieren des aktiven Remotedesktop (RDP) Zertifikats“

Configuring a Group Policy (GPO) for Remote Desktop (RDP) Certificates

After configuring a certificate template for the distribution of Remote Desktop certificates (see the article "Configuring a Certificate Template for Remote Desktop (RDP) Certificates"), a group policy is still required that instructs the participating computers to also use the certificates originating from the template.

Continue reading „Konfigurieren einer Gruppenrichtlinie (GPO) für Remotedesktop (RDP) Zertifikate“

If a certification authority certificate has been revoked, a revocation list is no longer issued for the certification authority certificate

Assume the following scenario:

  • A certification authority has multiple certification authority certificates.
  • More than one certificate authority certificate uses the same private key because, for example, the certificate authority certificate was renewed with the same key pair.
  • If one of these certification authority certificates is revoked, the certification authority will also no longer issue revocation lists for the other certification authority certificates that use the same key.
Continue reading „Wenn ein Zertifizierungsstellen-Zertifikat widerrufen wurde, wird keine Sperrliste mehr für das Zertifizierungsstellen-Zertifikat ausgestellt“

Restoring a certification authority from backup

The following describes how to restore a certification authority from backup. In addition to the disaster case, this procedure is also part of the Migration of a certification authority to a new server.

Continue reading „Wiederherstellung einer Zertifizierungsstelle aus der Sicherung (Backup)“

Installing the role files for the certification authority

Since Windows Server 2008, the installation of the Certification Authority role consists of two steps:

  • Installing the role files. This step is described below.
  • Configuration of the Certification Authority role.
Continue reading „Installation der Rollen-Dateien für die Zertifizierungsstelle“
en_USEnglish
de_DEDeutsch en_USEnglish