List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known

As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.

Below is a list of use cases for which I am aware of compatibility.

Continue reading „Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist“

Basics: Authentication procedures for the Internet Information Services (IIS)

The Active Directory Certificate Services offer a number of web-based add-on interfaces (Network Device Registration Service (NDES), Certificate Enrollment Policy Web Service (CEP), Certificate Enrollment Web Service (CES), Certification Authority Web Enrollment (CAWE).

The Microsoft Internet Information Services (IIS) are thus almost indispensable for a Microsoft PKI. Each of the web-based interfaces (and also in-house developments) bring their own unique challenges in terms of authentication procedures and their implementation.

The following article should bring a little clarity to the topic.

Continue reading „Grundlagen: Authentisierungsverfahren für die Internet Information Services (IIS)“

Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)

With the May 10, 2022 patch, Microsoft is attempting to patch a vulnerability in the Active Directory in which the certificate-based enrollment (commonly known as PKINIT or also Smartcard Logon) to close.

The update changes both the behavior of the Certification Authority as well as the behavior of Active Directory when processing certificate-based logins.

Continue reading „Änderungen an der Zertifikatausstellung und an der zertifikatbasierten Anmeldung am Active Directory mit dem Patch für Windows Server vom 10. Mai 2022 (KB5014754)“

Using Microsoft Network Load Balancing (NLB) for Certificate Enrollment Web Services (CEP, CES)

It is generally a good idea to ensure the availability of the certificate enrollment Web services (Certificate Enrollment Policy Service, CEP, and Certificate Enrollment Web Service, CES) at all times.

The following describes how this can be achieved with the Windows feature "Network Load Balancing" (NLB).

Continue reading „Verwenden von Microsoft Network Load Balancing (NLB) für die Zertifikatregistrierungs-Webdienste (CEP, CES)“

Configure the Certificate Enrollment Web Service (CES) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Den Certificate Enrollment Web Service (CES) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“

Enabling Secure Sockets Layer (SSL) for Certificate Authority Web Enrollment (CAWE).

In the default configuration, Certificate Authority Web Enrollment (CAWE) accepts only unencrypted connections via HTTP. It is recommended that the CAWE be configured for HTTP over TLS (HTTPS) to make network traffic interception more difficult. Instructions are provided below.

Continue reading „Secure Sockets Layer (SSL) für die Zertifizierungsstellen-Webregistrierung (CAWE) aktivieren“

Installing a Certificate Enrollment Policy Web Service (CEP)

The following describes how to install the Certificate Enrollment Policy Web Service (CEP).

Continue reading „Installation eines Certificate Enrollment Policy Web Service (CEP)“

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a domain account.

The following describes how to set up a Certificate Enrollment Policy Web Service (CEP) that the service runs under a domain account.

Continue reading „Den Certificate Enrollment Policy Web Service (CEP) für den Betrieb mit einem Domänenkonto konfigurieren“

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CEP with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Den Certificate Enrollment Policy Web Service (CEP) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“

The Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin) reports "You do not have sufficient permission to enroll with SCEP. Please contact your system administrator."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the administration web page (certsrv/mscep_admin) the following message appears:
You do not have sufficient permission to enroll with SCEP. Please contact your system administrator. 
Continue reading „Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.““

Role configuration for Network Device Enrollment Service (NDES) fails with error message "CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)".

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server.
  • The role configuration fails with the following error message:
CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)““

Enabling Secure Sockets Layer (SSL) for the Network Device Enrollment Service (NDES).

In the default configuration, the Network Device Enrollment Service (NDES) only accepts unencrypted connections via HTTP. It is recommended that at least the NDES administration web page be configured for HTTP over TLS (HTTPS) to make it difficult to capture network traffic. The following is a guide.

For a closer look at the need to use SSL, see the article "Should HTTPS be used for the Network Device Enrollment Service (NDES)?„.

Continue reading „Secure Sockets Layer (SSL) für den Registrierungsdienst für Netzwerkgeräte (NDES) aktivieren“

Use Microsoft Network Load Balancing (NLB) for revocation list distribution points (CDP), access to job information (AIA), and online responders (OCSP).

It is generally a good idea to ensure the availability of CRL Distribution Points (CDP), Authority Information Access (AIA), and if available, Online Responders (OCSP) at all times.

Access to the revocation information is even more critical than to the certificate authority itself. If the revocation status of a certificate cannot be checked, it is possible (depending on the application) that the certificate is not considered trustworthy and the associated IT service cannot be used.

Continue reading „Verwenden von Microsoft Network Load Balancing (NLB) für die Sperrlistenverteilungspunkte (CDP), den Zugriff auf Stelleninformationen (AIA) und Onlineresponder (OCSP)“

Transfer certificate revocation lists to revocation list distribution points using SSH Secure Copy (SCP) with public key authentication (Windows Server 2019).

If the servers providing the revocation list distribution points are located in a Demilitarized Zone (DMZ), for example, or data transfer via Server Message Block (SMB) is not possible for other reasons, the blacklists can be transferred to the distribution points using SSH Secure Copy (SCP). As of Windows Server 2019, the OpenSSH server and client packages are available. The following describes the setup with authentication via public keys (Public Key Authentication) instead of passwords as an example

Continue reading „Übertragen der Zertifikatsperrlisten auf die Sperrlistenverteilpunkte mit SSH Secure Copy (SCP) mit Authentifizierung über öffentliche Schlüssel (Windows Server 2019)“
en_USEnglish