Use Microsoft Network Load Balancing (NLB) for revocation list distribution points (CDP), access to job information (AIA), and online responders (OCSP).

It is generally a good idea to ensure the availability of CRL Distribution Points (CDP), Authority Information Access (AIA), and if available, Online Responders (OCSP) at all times.

Access to the revocation information is even more critical than to the certificate authority itself. If the revocation status of a certificate cannot be checked, it is possible (depending on the application) that the certificate is not considered trustworthy and the associated IT service cannot be used.

Continue reading „Verwenden von Microsoft Network Load Balancing (NLB) für die Sperrlistenverteilungspunkte (CDP), den Zugriff auf Stelleninformationen (AIA) und Onlineresponder (OCSP)“

Combining the SMTP Exit Module with a local SMTP server for increased resilience

Assume the following scenario:

  • The certification authority is configured to send e-mail notifications about the events on the certification authority only using the SMTP Exit module.
  • The configured SMTP server is not always reliably accessible, for example, because it is not designed to be highly available.
  • If the SMTP server fails, the certificate authority will operate very slowly because the email notifications cannot be delivered. In some circumstances, the certificate authority service will no longer start.
Continue reading „Kombinieren des SMTP Exit Moduls mit einem lokalen SMTP-Server für erhöhte Ausfallsicherheit“

Disabling the SMTP Exit Module of a Certification Authority

Assume the following scenario:

  • The certification authority is configured to send e-mail notifications about the events on the certification authority only using the SMTP Exit module.
  • The configured SMTP server is unreachable, for example due to a failure.

In this case, the exit module cannot deliver the email notifications. It will time out and the certificate authority will work very slowly.

Continue reading „Deaktivieren des SMTP Exit-Moduls einer Zertifizierungsstelle“

The online responder (OCSP) requests new signature certificates every four hours

Assume the following scenario:

  • The online responders are configured to request signing certificates using a certificate template from an Active Directory integrated certificate authority.
  • The online responders apply for a new signature certificate at regular intervals (every four hours), even though the existing certificate is still valid for a sufficiently long time.
Continue reading „Der Onlineresponder (OCSP) beantragt alle vier Stunden neue Signaturzertifikate“

Transfer certificate revocation lists to revocation list distribution points using SSH Secure Copy (SCP) with public key authentication (Windows Server 2019).

If the servers providing the revocation list distribution points are located in a Demilitarized Zone (DMZ), for example, or data transfer via Server Message Block (SMB) is not possible for other reasons, the blacklists can be transferred to the distribution points using SSH Secure Copy (SCP). As of Windows Server 2019, the OpenSSH server and client packages are available. The following describes the setup with authentication via public keys (Public Key Authentication) instead of passwords as an example

Continue reading „Übertragen der Zertifikatsperrlisten auf die Sperrlistenverteilpunkte mit SSH Secure Copy (SCP) mit Authentifizierung über öffentliche Schlüssel (Windows Server 2019)“

Advanced queries against the certification authority database

The Certification Authority database stores much of the information about a Certification Authority's activities. Among other things, it contains information about:

  • Certificates issued
  • Revoked certificates
  • Published blacklists
  • Pending certificate requirements
  • Rejected certificate requests
  • Failed certificate requests

Viewing the contents of the certification authority database is usually done via the certification authority's management console (certsrv.msc), but the possibilities for evaluation and especially for machine processing are very limited.

Continue reading „Erweiterte Abfragen gegen die Zertifizierungsstellen-Datenbank“

Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Here's the scenario:

  • A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““

Required Windows security permissions for the Network Device Enrollment Service (NDES)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on NDES components.

Continue reading „Benötigte Windows-Sicherheitsberechtigungen für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Requesting a certificate fails with the error message "The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).". When importing PFX files, the private key is missing.

Here's the scenario:

  • The import of a PFX file seems to be successful, but afterwards the private key is missing. A check with certutil ends with the error message "Missing stored keyset".
  • Requesting a certificate on a client fails with the following error message:
The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).“. Beim Import von PFX-Dateien fehlt der private Schlüssel.“

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

  • Requesting a certificate for a domain controller fails.
  • On the certification authority, the certificate request is logged in the failed requests. The error message reads:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats für Domänencontroller schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““

Incremental backups of the certification authority database fail with the error message "The database missed a previous full backup before incremental backup".

Assume the following scenario:

  • You use certutil.exe or the PowerShell commandlet Backup-CAService to back up your Active Directory Certificate Services database.
  • In addition to a full backup, you also perform regular incremental backups of the CA database.
  • The incremental backups fail with error message "The database missed a previous full backup before incremental backup".
Incremental database backup for…
 Backing up Log files: 0%CertUtil: -backupDB command FAILED: 0xc8000230 (ESE: -560 JET_errMissingFullBackup)
 CertUtil: The database missed a previous full backup before incremental backup
Continue reading „Inkrementelle Sicherungen der Zertifizierungsstellen-Datenbank schlagen fehl mit der Fehlermeldung „The database missed a previous full backup before incremental backup““

Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • However, the desired certificate template is not displayed for selection, even though it has been correctly published on the certification authority.
  • The logged-in user (or computer) also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • In the list of available certificate templates within the MMC, all certificate templates are displayed. At the desired certificate template is written:
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.““

Certificate Enrollment Policy creation for Certificate Enrollment Policy Web Service (CEP) fails with error code "WS_E_ENDPOINT_NOT_FOUND".

Assume the following scenario:

  • A Certificate Enrollment Policy Web Service (CEP) is implemented in the network.
  • An enrollment policy is configured.
  • Testing the connection fails with the following error message:
Certificate Request Processor: The remote endpoint does not exist or could not be located. 0x803d000d (-2143485939 WS_E_ENDPOINT_NOT_FOUND)
Continue reading „Die Erstellung einer Zertifikatregistrierungsrichtlinie (Enrollment Policy) für den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit dem Fehlercode „WS_E_ENDPOINT_NOT_FOUND““
en_USEnglish
de_DEDeutsch en_USEnglish