Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

  • A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““

Signing certificates bypassing the certification authority

Time and again in discussions about the security of a certification authority, it comes up that abuse of the certification authority could be contained by its security settings.

However, the fact that the integrity of a certification authority is directly tied to its key material and can therefore also be compromised by it is not obvious at first glance.

one must think of the certification authority software as a kind of management around the key material. For example, the software provides a Online interface for Certificate Enrollment takes care of the authentication of the enrollees, the automated execution of signature operations (issuing certificates and Brevocation lists) and their logging (Certification Authority Database, Audit log, Event log).

However, signature operations require nothing more than the private key of the certification authority. The following example shows how an attacker, given access to the certification authority's private key, can generate and issue certificates without the certification authority software and its security mechanisms being aware of this.

With such a certificate, it would even be possible in the worst case, take over the Active Directory forest undetected.

Continue reading „Signieren von Zertifikaten unter Umgehung der Zertifizierungsstelle“

Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

Continue reading „Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?“

Details of the event with ID 94 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:94 (0x5E)
Event log:Application
Event type:Warning
Symbolic Name:MSG_CA_CERT_NO_AUTH_STORE
Event text (English):Active Directory Certificate Services %1 cannot open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container.
Event text (German):The certificate store under "CN=NTAuthCertificates,CN=Public Key Services,CN=Services" in the Active Directory configuration container cannot be opened by Active Directory Certificate Services %1.
Continue reading „Details zum Ereignis mit ID 94 der Quelle Microsoft-Windows-CertificationAuthority“

Prevent smartcard logon to the network

Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.

Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.

Continue reading „Smartcard Anmeldung im Netzwerk unterbinden“

Editing the NTAuthCertificates object in Active Directory

In the default configuration, all certification authority certificates of Active Directory integrated certification authorities (Enterprise Certification Authority) are located in an object of type CertificationAuthority named NTAuthCertificates within the Configuration Partition of the Active Directory forest.

Continue reading „Bearbeiten des NTAuthCertificates Objektes im Active Directory“

Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Here's the scenario:

  • A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““
en_USEnglish