Change the Subject Alternative Name (SAN) of a certificate before it is issued - but do it securely!

In net circulate unfortunately much at many Instructions (also the big players are not excluded from this, not even Microsoft itself or the Grand Master Komar), which fatally recommend that the flag EDITF_ATTRIBUTESUBJECTALTNAME2 should be set on the certification authority - supposedly to be able to issue certificates with Subject Alternative Name (SAN) extension for manually submitted certificate requests.

Unfortunately, this procedure is not only unnecessary, it also has some unpleasant side effects, which in the worst case can help an attacker to take over the entire Active Directory structure.

Continue reading „Den Subject Alternative Name (SAN) eines Zertifikats vor dessen Ausstellung verändern – aber sicher!“

Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester."

  • A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The certificate request fails with the following error message:
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.““

Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

  • A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““

Requesting certificates via Enroll on Behalf of (EOBO) is not possible because the certificate template is not displayed. The error message is "The certificate template requires too many RA signatures."

Assume the following scenario:

  • A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The desired certificate template is not displayed.
  • If you check the "Show all templates" checkbox, the following error message will be displayed for the desired certificate template:
The certificate template requires too many RA signatures. Only one RA signature is allowed. Multiple request agent signatures are not permitted on a certificate request.
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „The certificate template requires too many RA signatures.““

Network Device Enrollment Service (NDES) Basics

The Simple Certificate Enrollment Protocol (SCEP) was developed by Verisign for Cisco in the early 2000s to provide a simplified method for requesting certificates. Previously, network devices required manually generating a certificate request on each device, submitting it to a certificate authority, and then manually reinstalling the issued certificate on the corresponding device.

Continue reading „Grundlagen Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“

Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

Continue reading „Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?“

Details of the event with ID 21 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:21 (0x15)
Event log:Application
Event type:Error
Symbolic Name:MSG_E_PROCESS_REQUEST_FAILED
Event text (English):Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3.
Event text (German):The request %1 could not be executed due to an error: %2. The request was for %3.
Continue reading „Details zum Ereignis mit ID 21 der Quelle Microsoft-Windows-CertificationAuthority“

Details of the event with ID 22 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:22 (0x16)
Event log:Application
Event type:Error
Symbolic Name:MSG_E_PROCESS_REQUEST_FAILED_WITH_INFO
Event text (English):Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. Additional information: %4
Event text (German):The request %1 could not be executed due to an error: %2. The request was for %3. More information: %4
Continue reading „Details zum Ereignis mit ID 22 der Quelle Microsoft-Windows-CertificationAuthority“
en_USEnglish