To use the Online Certificate Status Protocol (OCSP), it is necessary to configure an appropriate certificate template.
Continue reading „Konfigurieren einer Zertifikatvorlage für Onlineresponder (OCSP) Antwortsignatur-Zertifikate“Category: Online Certificate Status Protocol (OCSP)
List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known
As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.
Below is a list of use cases for which I am aware of compatibility.
Continue reading „Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist“Limits of Microsoft Active Directory Certificate Services
Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.
People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.
What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.
Continue reading „Grenzen der Microsoft Active Directory Certificate Services“Certificate requests for the online responder (OCSP) fail sporadically with error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)"
Assume the following scenario:
- An online responder (OCSP) is set up in the network.
- The certification authorities report at irregular intervals that certificate requests for the OCSP password signing certificates fail with the following error message:
The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).Continue reading „Zertifikatanforderungen für den Onlineresponder (OCSP) schlagen sporadisch fehl mit Fehlermeldung „The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)““
Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."
Assume the following scenario:
- A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
- The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““
Basics of online responders (Online Certificate Status Protocol, OCSP)
Certificates usually have a "CRL Distribution Points" extension that tells an application where the certificate's associated Certificate Revocation List (CRL) can be found.
This is like a telephone directory: It contains all the serial numbers of certificates that have been recalled by the certification authority (and are still valid). Every application that checks the revocation status must download and evaluate the entire revocation list.
As the size increases, this procedure becomes increasingly inefficient. As a rule of thumb, 100,000 recalled certificates already correspond to approx. 5 MB file size for the revocation list.
The Online Certificate Status Protocol (OCSP) was developed for this purpose (under the leadership of ValiCert): It is similar to a directory assistance service where applications can request the revocation status for individual certificates, thus eliminating the need to download the entire CRL. OCSP is available in the RFC 6960 specified.
Continue reading „Grundlagen Onlineresponder (Online Certificate Status Protocol, OCSP)“Overview of the setting options for blocking configurations of the online responder (OCSP).
If a blocking configuration is configured for an online responder, there are various setting options that are discussed below.
Continue reading „Übersicht über die Einstellungsmöglichkeiten für Sperrkonfigurationen des Onlineresponders (OCSP)“The online responder (OCSP) reports "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE".
Assume the following scenario:
- An online responder (OCSP) is configured on the network.
- OCSP is enabled for a certificate authority and a revocation configuration is set up.
- The management console for the online responder displays the following status for the revocation configuration:
Type: Microsoft CRL-based revocation status provider. The revocation provider failed with the current configuration. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE), 0x80092013Continue reading „Der Onlineresponder (OCSP) meldet „The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE““
The online responder (OCSP) reports "The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND)".
Assume the following scenario:
- An online responder (OCSP) is configured on the network.
- OCSP is enabled for a certificate authority and a revocation configuration is set up.
- The management console for the online responder displays the following status for the revocation configuration:
Type: Microsoft CRL-based revocation status provider. The revocation provider failed with the current configuration. The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND), 0x800710d8Continue reading „Der Onlineresponder (OCSP) meldet „The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND)““
List of use cases for certificates that require specific Cryptographic Service Providers (CSP) or Key Storage Providers (KSP).
Windows Server 2008, along with NSA Suite B algorithms (also known as Cryptography Next Generation, CNG) with Key Storage Providers, introduced a new, modern interface for generating, storing, and using private keys in the Windows ecosystem.
In most cases, it does not matter which CSP or KSP is used for certificates. However, some applications will not work or will not work correctly if the wrong provider is chosen.
Below is a list of use cases I know of for certificates that only work with a specific Cryptographic Service Provider (CSP) or Key Storage Provider (KSP).
Continue reading „Liste der Use Cases für Zertifikate, die bestimmte Cryptographic Service Provider (CSP) oder Key Storage Provider (KSP) benötigen“Lock check via online responder (OCSP) fails with HTTP error code 404 (HTTP_E_STATUS_NOT_FOUND)
Assume the following scenario:
- After installing an online responder (OCSP), setting up a revocation configuration and adjusting the certification authority or Configuring a group policy that forces clients to use the online responder, falls at the Function test that this nevertheless does not work.
- The OCSP address check reports HTTP status 404 (not found).
Force domain controller (or other participants) to use an online responder (OCSP)
By default, Windows systems, even if an online responder (OCSP) is configured, will be sent to a certain number of OCSP requests fall back to a (if available) brevocation list, because this is usually more efficient in such a case. However, this behavior is not always desired.
For example, if one uses smart card logins, one might want to know if Logins were executed with unauthorized issued certificates. In conjunction with the deterministic good of the online responder you can thus create an (almost) seamless Audit trail create for all smartcard logins.
Continue reading „Domänencontroller (oder andere Teilnehmer) zwingen, einen Onlineresponder (OCSP) zu verwenden“Configure the "Magic Number" for the online responder
Even if an online responder is present in the network and the certification authorities have entered its address in the Authority Information Access (AIA) extension of the issued certificates, it is not always guaranteed that the online responder is actually used.
One variable here is the "Magic Number", which is present on every Windows operating system. It causes the system to fall back to blacklists (if present) if requests are made too often via OCSP for the same certificate authority.
Continue reading „Die „Magic Number“ für den Onlineresponder konfigurieren“Overview of the audit events generated by the online responder (OCSP)
The following is an overview of the audit events generated by the online responder in the Windows Event Viewer.
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Continue reading „Übersicht über die vom Onlineresponder (OCSP) generierten Audit-Ereignisse“Configure deterministic "good" for the online responder (OCSP).
In the default configuration, the online responder returns the status "Good" for requested certificates that do not appear on one of the configured revocation lists.
This can be problematic because the online responder has no knowledge of certificates issued by the certification authorities. If an attacker succeeds in issuing a certificate using the private key of the certification authority without their knowledge, this would not be detected by the online responder, and would also be reported in the Audit log show up as "Good".
Continue reading „Deterministisches „Good“ für den Onlineresponder (OCSP) konfigurieren“