Change the Subject Alternative Name (SAN) of a certificate before it is issued - but do it securely!

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommend that the flag EDITF_ATTRIBUTESUBJECTALTNAME2 should be set on the certification authority - supposedly to be able to issue certificates with Subject Alternative Name (SAN) extension for manually submitted certificate requests.

Unfortunately, this procedure is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory structure.

Continue reading „Den Subject Alternative Name (SAN) eines Zertifikats vor dessen Ausstellung verändern – aber sicher!“

Certificate request fails with error message "The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)".

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)
Denied by Policy Module
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)““

Requesting certificates via Enroll on Behalf of (EOBO) is not possible because the certificate template is not displayed. The error message is "The certificate template requires too many RA signatures."

Assume the following scenario:

  • A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The desired certificate template is not displayed.
  • If you check the "Show all templates" checkbox, the following error message will be displayed for the desired certificate template:
The certificate template requires too many RA signatures. Only one RA signature is allowed. Multiple request agent signatures are not permitted on a certificate request.
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „The certificate template requires too many RA signatures.““

Subsequently change the Subject Distinguished Name (DN) of a certificate request (CSR)

Sometimes it is necessary to change the Subject Distinguished Name (also called Subject, Subject DN, Applicant or Subject) of a certificate request before issuing the certificate.

Under certain circumstances, this is certainly possible, as described below.

Continue reading „Den Subject Distinguished Name (DN) einer Zertifikatanforderung (CSR) nachträglich verändern“

Configuring the Network Device Enrollment Service (NDES) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate NDES with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“

Renew the Registration Authority (RA) certificates for the Network Device Enrollment Service (NDES).

Once NDES has been in operation for some time (typically two years), one is faced with the challenge of renewing the Registration Authority (RA) certificates. Unfortunately, this process is not necessarily solved intuitively and is therefore described in more detail in this article.

Continue reading „Die Registration Authority (RA) Zertifikate für den Registrierungsdienst für Netzwerkgeräte (NDES) erneuern“

Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).

The Network Device Enrollment Service (NDES) uses two certificate templates for its internal function to make it act as a Registration Authority (RA). These are published during role configuration of the NDES service on the configured certificate authority and certificates are requested:

  • CEP Encryption
  • Exchange Enrollment Agent (Offline Request)

These certificate templates are standard templates from the Windows 2000 world (version 1 templates), i.e. they cannot be edited. In addition, the Exchange Enrollment Agent (Offline Request) template is marked as a user template, i.e. during NDES role configuration the certificate is requested in the context of the installing user and then imported into the machine store. At the latest when the certificates are to be renewed after two years, things get complicated here.

It is therefore a good idea to use your own certificate templates for NDES. These can be adapted in terms of their key length, for example. The use of hardware security modules (HSM) is also possible in this way. Even automatic renewal can be configured.

Continue reading „Eigene Registration Authority (RA) Zertifikatvorlagen für den Registrierungsdienst für Netzwerkgeräte (NDES) verwenden“
en_USEnglish