Month: February 2020

The online responder (OCSP) requests new signature certificates every four hours

Assume the following scenario:

  • The online responders are configured to request signing certificates using a certificate template from an Active Directory integrated certificate authority.
  • The online responders apply for a new signature certificate at regular intervals (every four hours), even though the existing certificate is still valid for a sufficiently long time.
Continue reading „Der Onlineresponder (OCSP) beantragt alle vier Stunden neue Signaturzertifikate“

Transfer certificate revocation lists to revocation list distribution points using SSH Secure Copy (SCP) with public key authentication (Windows Server 2019).

If the servers providing the revocation list distribution points are located in a Demilitarized Zone (DMZ), for example, or data transfer via Server Message Block (SMB) is not possible for other reasons, the blacklists can be transferred to the distribution points using SSH Secure Copy (SCP). As of Windows Server 2019, the OpenSSH server and client packages are available. The following describes the setup with authentication via public keys (Public Key Authentication) instead of passwords as an example

Continue reading „Übertragen der Zertifikatsperrlisten auf die Sperrlistenverteilpunkte mit SSH Secure Copy (SCP) mit Authentifizierung über öffentliche Schlüssel (Windows Server 2019)“

Advanced queries against the certification authority database

The Certification Authority database stores much of the information about a Certification Authority's activities. Among other things, it contains information about:

  • Certificates issued
  • Revoked certificates
  • Published blacklists
  • Pending certificate requirements
  • Rejected certificate requests
  • Failed certificate requests

Viewing the contents of the certification authority database is usually done via the certification authority's management console (certsrv.msc), but the possibilities for evaluation and especially for machine processing are very limited.

Continue reading „Erweiterte Abfragen gegen die Zertifizierungsstellen-Datenbank“

Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Here's the scenario:

  • A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““

Required Windows security permissions for the Network Device Enrollment Service (NDES)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on NDES components.

Continue reading „Benötigte Windows-Sicherheitsberechtigungen für den Registrierungsdienst für Netzwerkgeräte (NDES)“

Requesting a certificate fails with the error message "The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).". When importing PFX files, the private key is missing.

Here's the scenario:

  • The import of a PFX file seems to be successful, but afterwards the private key is missing. A check with certutil ends with the error message "Missing stored keyset".
  • Requesting a certificate on a client fails with the following error message:
The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).“. Beim Import von PFX-Dateien fehlt der private Schlüssel.“

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

  • Requesting a certificate for a domain controller fails.
  • On the certification authority, the certificate request is logged in the failed requests. The error message reads:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats für Domänencontroller schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““

Incremental backups of the certification authority database fail with the error message "The database missed a previous full backup before incremental backup".

Assume the following scenario:

  • You use certutil.exe or the PowerShell commandlet Backup-CAService to back up your Active Directory Certificate Services database.
  • In addition to a full backup, you also perform regular incremental backups of the CA database.
  • The incremental backups fail with error message "The database missed a previous full backup before incremental backup".
Incremental database backup for...
 Backing up Log files: 0rtUtil: -backupDB command FAILED: 0xc8000230 (ESE: -560 JET_errMissingFullBackup)
 CertUtil: The database missed a previous full backup before incremental backup
Continue reading „Inkrementelle Sicherungen der Zertifizierungsstellen-Datenbank schlagen fehl mit der Fehlermeldung „The database missed a previous full backup before incremental backup““

Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • However, the desired certificate template is not displayed for selection, even though it has been correctly published on the certification authority.
  • The logged-in user (or computer) also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • In the list of available certificate templates within the MMC, all certificate templates are displayed. At the desired certificate template is written:
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.““
en_USEnglish
de_DEDeutsch en_USEnglish