Use of undefined Relative Distinguished Names (RDN) in issued certificates

Sometimes it is necessary to allow Relative Distinguished Names (RDNs) in issued certificates that are not defined and accordingly not included in the SubjectTemplate value of the certification authority registration could be configured.

An example of this is the Organization Identifier with Object Identifier 2.5.4.97, which is required, for example, for certificates that are used for the eIDAS Regulation are compliant.

Continue reading „Verwenden von nicht definierten Relative Distinguished Names (RDN) in ausgestellten Zertifikaten“

Change the order of the Relative Distinguished Names (RDNs) in the subject of issued certificates.

The Microsoft Certification Authority accepts subjects from certificate requests for templates in which their specification by the requester is allowed, not 1:1 in the issued certificate.

Instead, both is defined, which Relative Distinguished Names (RDNs) are allowedas well as in which order they are written to issued certificates. However, this order can be changed. How this is done is explained below.

Continue reading „Die Reihenfolge der Relative Distinguished Names (RDNs) im Subject Distinguished Name (DN) ausgestellter Zertifikate ändern“

Details of the event with ID 19 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:19 (0x13)
Event log:Application
Event type:Error
Symbolic Name:MSG_E_REG_BAD_SUBJECT_TEMPLATE
Event text (English):Active Directory Certificate Services did not start: The Subject Name Template string in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\SubjectTemplate is invalid. An example of a valid string is: CommonName OrganizationalUnit Organization Locality State Country
Event text (German):Active Directory certificate services were not started: The applicant name template string in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\SubjectTemplate registry entry is invalid. An example of a valid entry is: CommonName OrganizationalUnit Organization Locality State Country
Continue reading „Details zum Ereignis mit ID 19 der Quelle Microsoft-Windows-CertificationAuthority“

Allowed Relative Distinguished Names (RDNs) in the Subject of Issued Certificates

In principle, the RFC 5280 the use of arbitrary strings in the subject string of a certificate. Common fields in the standard are X.520 described. The Length restrictions are also recommended by the ITU-T. The abbreviations commonly used today are mainly taken from the RFC 4519.

However, Microsoft Active Directory Certificate Services only allows certain RDNs by default.

The following Relative Distinguished Names (RDNs) are accepted by the Active Directory Certificate Services (ADCS) certificate authority by default:

Continue reading „Erlaubte Relative Distinguished Names (RDNs) im Subject Distinguished Name (DN) ausgestellter Zertifikate“

Installing the Network Device Enrollment Service (NDES) without Enterprise Administrator permissions

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server.
  • The role configuration fails with the following error message:
Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS

Typically, the NDES roll configuration requires, that the installing user is a member of the Enterprise Admins group. However, this is not technically necessary and contradicts Microsoft's security hardening recommendations, since NDES is not (necessarily) a system that is assigned to the highest security layer (Tier-0).

Below is a way to configure the NDES role even without the required permissions.

Continue reading „Den Registrierungsdienst für Netzwerkgeräte (NDES) ohne Enterprise Administrator Berechtigungen installieren“
en_USEnglish