Automatic renewal of manually requested certificates without intervention of a certificate manager

Assuming a use case is implemented for certificates where users specify the identity contained in the certificate in the certificate request, and this requires manual intervention by the certificate managers, the question arises as to how to proceed when the certificates expire or the certificate template is moved to another certification authority in order to minimize tickets at the help desk and thus the resulting work for the certificate managers.

Continue reading „Automatische Erneuerung manuell beantragter Zertifikate ohne Eingriff eines Zertifikatmanagers“

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Internal error." appears.

Assume the following scenario:

  • A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The message cannot be opened.
  • When opening the message, the following error message is displayed:
Unfortunately, there is a problem opening this item. This may be temporary. If this error occurs again, you should restart Outlook. Error in the underlying security system. Internal error.
Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Interner Fehler.““

S/MIME with the Outlook app for Apple IOS and Android only possible with devices managed via Intune

If you want to make S/MIME certificates available to your users on the smartphone as well, you may be surprised to discover that this is not possible with the Outlook app unless you also use Microsoft Intune as a management solution for the devices.

Microsoft has published in an article "Sensitivity labeling and protection in Outlook for iOS and Android" now clarified that this is due to the respective system architecture.

Continue reading „S/MIME mit der Outlook App für Apple IOS und Android nur mit über Intune verwalteten Geräten möglich“

From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It

In the following, I would like to present a highly dangerous PKI configuration, perhaps not necessarily known to the general public, which can probably be encountered quite frequently in this way in corporate networks.

I show how, by exploiting various unfortunate circumstances in the Windows PKI, it is possible to elevate privileges from mere network access to complete Active Directory takeover.

The initial point of attack in this example is the Network Device Enrollment Service (NDES).

Continue reading „Von Null auf Enterprise Administrator durch den Registrierungsdienst für Netzwerkgeräte (NDES) – und was dagegen getan werden kann“

What does the "Enable Certificate Privacy" option mean when exporting certificates?

With Windows Server 2016 and Windows 10, a new "Enable Certificate Privacy" option has been implemented for exporting private key certificates via the Microsoft Management Console (MMC).

When exporting private key certificates, the certificate is exported to a PKCS#12 (.PFX) file.

Continue reading „Was bedeutet die Option „Enable Certificate Privacy“ beim Zertifikatexport?“

Installation of a certification authority fails with error message "The Certification Authority is already installed."

Assume the following scenario:

  • A certification authority is installed.
  • An error occurred during installation that required a retry.
  • The certification authority role was uninstalled and then the role configuration was tried again.
  • The role configuration fails with the following error message:
The Certification Authority is already installed. If you are trying to reinstall the role service, you must first uninstall it.
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlermeldung „The Certification Authority is already installed.““

Google Chrome reports error code "ERR_SSL_PROTOCOL_ERROR" when calling a web page

Assume the following scenario:

  • A web page is accessed using Google Chrome.
  • The connection setup fails with the following error message:
This website cannot provide a secure connection
test.intra.adcslabor.com has sent an invalid response.
Try to run the Windows network diagnostics.
ERR_SSL_PROTOCOL_ERROR
Continue reading „Google Chrome meldet Fehlercode „ERR_SSL_PROTOCOL_ERROR“ beim Aufruf einer Webseite“

Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““

Basics of online responders (Online Certificate Status Protocol, OCSP)

Certificates usually have a "CRL Distribution Points" extension that tells an application where the certificate's associated Certificate Revocation List (CRL) can be found.

This is like a telephone directory: It contains all the serial numbers of certificates that have been recalled by the certification authority (and are still valid). Every application that checks the revocation status must download and evaluate the entire revocation list.

As the size increases, this procedure becomes increasingly inefficient. As a rule of thumb, 100,000 recalled certificates already correspond to approx. 5 MB file size for the revocation list.

The Online Certificate Status Protocol (OCSP) was developed for this purpose (under the leadership of ValiCert): It is similar to a directory assistance service where applications can request the revocation status for individual certificates, thus eliminating the need to download the entire CRL. OCSP is available in the RFC 6960 specified.

Continue reading „Grundlagen Onlineresponder (Online Certificate Status Protocol, OCSP)“

Overview of the setting options for blocking configurations of the online responder (OCSP).

If a blocking configuration is configured for an online responder, there are various setting options that are discussed below.

Continue reading „Übersicht über die Einstellungsmöglichkeiten für Sperrkonfigurationen des Onlineresponders (OCSP)“

The online responder (OCSP) reports "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE".

Assume the following scenario:

  • An online responder (OCSP) is configured on the network.
  • OCSP is enabled for a certificate authority and a revocation configuration is set up.
  • The management console for the online responder displays the following status for the revocation configuration:
Type: Microsoft CRL-based revocation status provider.
The revocation provider failed with the current configuration. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE), 0x80092013
Continue reading „Der Onlineresponder (OCSP) meldet „The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE““

The online responder (OCSP) reports "The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND)".

Assume the following scenario:

  • An online responder (OCSP) is configured on the network.
  • OCSP is enabled for a certificate authority and a revocation configuration is set up.
  • The management console for the online responder displays the following status for the revocation configuration:
Type: Microsoft CRL-based revocation status provider.
The revocation provider failed with the current configuration. The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND), 0x800710d8
Continue reading „Der Onlineresponder (OCSP) meldet „The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND)““

Revocation of an issued certificate fails with error message "The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)".

Assume the following scenario:

  • A certificate is revoked via the command line (certutil -revoke).
  • The operation fails with the following error message:
ICertAdmin::RevokeCertificate: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
Continue reading „Der Widerruf eines ausgestellten Zertifikats schlägt fehl mit Fehlermeldung „The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)““

Treatment of expired certificates when issuing certificate revocation lists

By default, the Microsoft Certification Authority removes the serial numbers of expired certificates from the revocation lists it issues.

However, there are some exceptions to this.

Continue reading „Behandlung abgelaufener Zertifikate bei der Ausstellung von Zertifikatsperrlisten“
en_USEnglish