Author: Uwe Gradenegger

Restrict extended key usage (EKU) for imported root certification authority certificates

A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.

In the event of a compromise of the certification authority, the damage is then limited to these Extended Key Usages. The smart card logon extended key usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

Continue reading „Die erweiterte Schlüsselverwendung (Extended Key Usage, EKU) für importierte Stammzertifizierungstellen-Zertifikate einschränken“

Disabling the generation of cross-certification authority certificates on a root certification authority

Root certification authorities (root CA) generate so-called cross-certification authority certificates (cross signing) when the certification authority certificate is renewed.

Sometimes problems may occur in this process, as shown for example in the article "Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)"." described.

In such a case, one may want to stop the creation of the cross-certification authority certificates.

Continue reading „Deaktivieren der Erzeugung der Kreuzzertifizierungsstellen-Zertifikate auf einer Stammzertifizierungsstelle“

Use HTTP over Transport Layer Security (HTTPS) for the revocation list distribution points (CDP) and the online responder (OCSP).

With regard to the design of the infrastructure for providing revocation information - i.e. the CRL Distribution Points (CSP) as well as the Online Responders (Online Certificate Status Protocol, OCSP) - the question arises whether these should be "secured" via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

Continue reading „Verwenden von HTTP über Transport Layer Security (HTTPS) für die Sperrlistenverteilungspunkte (CDP) und den Onlineresponder (OCSP)“

Umlauts in certification authority certificates

Internationalized Domain Names (IDNs) have been officially supported since Windows Server 2012 as part of the Certificate Authority and associated components.

However, if you want to use them in your certification authority certificates, there are some specifics to consider.

Continue reading „Umlaute in Zertifizierungsstellen-Zertifikaten“

Which Cryptographic Service Provider (CSP) should be used for the Network Device Enrollment Service (NDES)?

When configuring a certificate template for the Registration Authority (RA) certificates for the Network Device Enrollment Service (NDES), the question arises, especially when using Hardware Security Modules (HSM), which Cryptographic Service Provider (CSP) of the HSM manufacturer should be used.

Continue reading „Welcher Cryptographic Service Provider (CSP) sollte für den Registrierungsdienst für Netzwerkgeräte (NDES) verwendet werden?“

Requesting certificates through the Network Device Enrollment Service (NDES) fails with HTTP error code 503 and there are no entries in the Event Viewer

Assume the following scenario:

  • A network device enrollment service (NDES) is implemented in the network.
  • The NDES server uses a domain account or a Group Managed Service Account (gMSA) for the identity of the SCEP IIS application pool.
  • Requesting certificates via NDES fails with HTTP error code 503 (Server Unavailable).
  • Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
  • Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.
Continue reading „Die Beantragung von Zertifikaten über den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt mit HTTP Fehlercode 503 fehl, und es gibt keine Einträge in der Ereignisanzeige“

What to consider when applying Microsoft Security Baselines?

In the context of hardening measures, it is a good idea to use the Microsoft published Microsoft Security Baselines to your own server landscape.

This will inevitably have an impact on PKI components. The following is an overview of the expected effects and countermeasures.

Continue reading „Was ist bei der Anwendungen der Microsoft Security Baselines zu beachten?“

Certificate Enrollment Policy Service does not display certificate templates configured for compatibility with Windows Server 2016 or Windows 10

There is a known bug in the Certificate Enrollment Policy Web Service (CEP) that causes certificate templates configured for compatibility with Windows Server 2016 or Windows 10 not to display.

Continue reading „Der Zertifikatregistrierungs-Richtliniendienst zeigt Zertifikatvorlagen, die auf Kompatibilität mit Windows Server 2016 oder Windows 10 konfiguriert sind, nicht an“

How are the compatibility settings for certificate templates technically mapped?

Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.

In the following, this function is described in more detail, as well as possible effects in practice.

Continue reading „Wie sind die Kompatibilitätseinstellungen für Zertifikatvorlagen technisch abgebildet?“

Overview of the availability of options when changing the compatibility settings of a certificate template

Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.

The following is an overview of which options become available in each case when the compatibility settings for the certificate authority and/or the certificate recipients are changed.

Continue reading „Übersicht über die Verfügbarkeit von Optionen bei Veränderung der Kompatibilitätseinstellungen einer Zertifikatvorlage“

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)".

Assume the following scenario:

  • An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services.
  • The request fails with the following error message:
Get-Certificate : CX509EnrollmentPolicyWebService::LoadPolicy: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
Continue reading „Die Beantragung eines Zertifikats über die Zertifikatregistrierungs-Webdienste mittels Windows PowerShell schlägt fehlt mit Fehlermeldung „Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)““

Requesting certificates via Certificate Enrollment Web Services using Windows PowerShell fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • An attempt is made to request a certificate via Windows PowerShell using Certificate Enrollment Web Services. The name of the certificate template is included with the -Template argument.
  • The request fails with the following error message:
Get-Certificate : CertEnroll::CX509CertificateTemplates::get_ItemByName: Cannot find object or property. 0x80092004

(-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats über die Zertifikatregistrierungs-Webdienste mittels Windows PowerShell schlägt fehlt mit Fehlermeldung „Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Windows Defender detects certutil as malware (Win32/Ceprolad.A)

Assume the following scenario:

certutil -ping -kerberos -config "https://{Servername}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP" CEP

The certutil command is incorrectly detected by Windows Defender or Windows Defenter Advanced Threat Protection as Win32/Ceprolad.A.

Continue reading „Windows Defender erkennt certutil als Schadsoftware (Win32/Ceprolad.A)“

Required Windows security permissions for the Certificate Enrollment Policy Web Service (CEP)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on the CEP components.

Continue reading „Benötigte Windows-Sicherheitsberechtigungen für den Certificate Enrollment Policy Web Service (CEP)“

Automatically change passwords for accounts that require login via smartcard or Windows Hello for Business

A new feature of Windows Server 2016 is that the passwords for accounts that have a plain Login with smartcards be automatically renewed according to the password light lines.

If the "Smart card is required for interactive logon" option is enabled for a user account, the password of the user account is set to a random value once. However, the password never changes after that, which makes the account more vulnerable to pass-the-hash attacks.

The newly introduced feature solves this problem by generating new randomly generated passwords for corresponding accounts on a regular basis (depending on the password policy configured for the account).

Continue reading „Automatisches Ändern der Passwörter für Konten, die eine Anmeldung via Smartcard oder Windows Hello for Business erfordern“
en_USEnglish
de_DEDeutsch en_USEnglish