Certificate request fails with error message "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Denied by Policy Module.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““

Windows Server Migration Matrix for the Certification Authority

At the latest when the End of product support by the manufacturer (Microsoft) approaches, the question arises as to how and to which operating system a certification authority should be migrated.

Continue reading „Windows Server Migrations-Matrix für die Zertifizierungsstelle“

Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server

Often a certification authority lives significantly longer than the server on which it was installed. Reasons for migrating the certification authority to a new server, i.e. while retaining the data, can be:

  • Defect or end of life of the server hardware
  • End of life of the server operating system
  • Change of the server name

The procedure for migration is described in detail below.

Continue reading „Migration einer Active Directory integrierten Zertifizierungsstelle (Enterprise Certification Authority) auf einen anderen Server“

End of product support by the manufacturer (Microsoft)

Each Windows Server operating system has a defined end date after which there is no longer any product support from the manufacturer. Certification authorities are also bound to this date, and should therefore be migrated before this date expires.

Continue reading „Ende der Produkt-Unterstützung durch den Hersteller (Microsoft)“

Basics and risk assessment Delegation settings

Delegation is required whenever there is an intermediary between the user and the actual service. In the case of certification authority web registration, this would be the case if it is installed on a separate server. It then acts as an intermediary between the applicant and the certification authority.

Continue reading „Grundlagen und Risikobetrachtung Delegierungseinstellungen“

Performing a functional test for the Certificate Enrollment Policy Web Service (CEP)

After installing a Certificate Enrollment Policy Web Service (CEP), or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components are working as desired.

Continue reading „Funktionstest durchführen für den Certificate Enrollment Policy Web Service (CEP)“

The certification authority service does not start and throws the error message "Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)““

Configuration of security event monitoring (auditing settings) for certification authorities

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Konfiguration der Überwachung von Sicherheitsereignissen (Auditierungseinstellungen) für Zertifizierungsstellen“

Standard auditing rules for Windows Server operating systems

Once a group policy with audit settings is active, the default auditing rules preconfigured with the operating system are turned off and only the explicitly configured audit settings are applied.

Continue reading „Standard-Auditierungsregeln für Windows Server Betriebssysteme“

Checking the connection to the private key of a certificate (e.g. when using a hardware security module)

For a function test or during troubleshooting, it can be useful to check whether the private key of a certificate is usable. If the key is secured with a hardware security module (HSM), for example, there are significantly more dependencies and possibilities for errors than with a software key.

Continue reading „Überprüfen der Verbindung zum privaten Schlüssel eines Zertifikate (z.B. bei Einsatz eines Hardware Security Moduls)“

Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Continue reading „Funktionstest durchführen für eine Zertifizierungsstelle“

Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.

Continue reading „Veröffentlichen einer Zertifikatsperrliste (CRL) auf einem Active Directory Sperrlistenverteilungspunkt (CDP)“

Create and publish a certificate revocation list

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.

Continue reading „Erstellen und Veröffentlichen einer Zertifikatsperrliste“

Revoking an issued certificate

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

Continue reading „Widerrufen eines ausgestellten Zertifikats“

Required Windows security permissions for the Certificate Enrollment Web Service (CES)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact the CES components.

Continue reading „Benötigte Windows-Sicherheitsberechtigungen für den Zertifikatregistrierungs-Webdienst (CES)“
en_USEnglish