In order to determine whether a certificate has been issued by a certification authority that has been classified as trustworthy, a trust chain must be formed. To do this, all certificates in the chain must be determined and checked. Microsoft CryptoAPI builds all possible certificate chains and returns those with the highest quality to the requesting application.
Continue reading „Grundlagen: Auffinden von Zertifikaten und Validierung des Zertifizierungspfades“Month: September 2020
Basics: Checking the revocation status of certificates
If a valid, unexpired certificate is to be withdrawn from circulation, it must be revoked. For this purpose, the certification authorities maintain corresponding revocation lists in which the digital fingerprints of the revoked certificates are listed. They must be queried during the validity check.
Continue reading „Grundlagen: Überprüfung des Sperrstatus von Zertifikaten“Use the Onlineresponder (OCSP) with a SafeNet Hardware Security Module (HSM)
With the SafeNet Key Storage Provider it is not possible to set permissions on the private keys: the Microsoft Management Console (MMC) will crash.
Continue reading „Den Onlineresponder (OCSP) mit einem SafeNet Hardware Security Module (HSM) verwenden“Restrict extended key usage (EKU) for imported root certification authority certificates
A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.
In the event of a compromise of the certification authority, the damage is then limited to these Extended Key Usages. The smart card logon extended key usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.
Continue reading „Die erweiterte Schlüsselverwendung (Extended Key Usage, EKU) für importierte Stammzertifizierungstellen-Zertifikate einschränken“Disabling the generation of cross-certification authority certificates on a root certification authority
Root certification authorities (root CA) generate so-called cross-certification authority certificates (cross signing) when the certification authority certificate is renewed.
Sometimes problems may occur in this process, as shown for example in the article "Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)"." described.
In such a case, one may want to stop the creation of the cross-certification authority certificates.
Continue reading „Deaktivieren der Erzeugung der Kreuzzertifizierungsstellen-Zertifikate auf einer Stammzertifizierungsstelle“Use HTTP over Transport Layer Security (HTTPS) for the revocation list distribution points (CDP) and the online responder (OCSP).
With regard to the design of the infrastructure for providing revocation information - i.e. the CRL Distribution Points (CSP) as well as the Online Responders (Online Certificate Status Protocol, OCSP) - the question arises whether these should be "secured" via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
Continue reading „Verwenden von HTTP über Transport Layer Security (HTTPS) für die Sperrlistenverteilungspunkte (CDP) und den Onlineresponder (OCSP)“Umlauts in certification authority certificates
Internationalized Domain Names (IDNs) have been officially supported since Windows Server 2012 as part of the Certificate Authority and associated components.
However, if you want to use them in your certification authority certificates, there are some specifics to consider.
Continue reading „Umlaute in Zertifizierungsstellen-Zertifikaten“