Use HTTP over Transport Layer Security (HTTPS) for the revocation list distribution points (CDP) and the online responder (OCSP).

With regard to the design of the infrastructure for providing revocation information - i.e. the CRL Distribution Points (CSP) as well as the Online Responders (Online Certificate Status Protocol, OCSP) - the question arises whether these should be "secured" via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

Continue reading „Verwenden von HTTP über Transport Layer Security (HTTPS) für die Sperrlistenverteilungspunkte (CDP) und den Onlineresponder (OCSP)“

Should HTTPS be used for the Network Device Enrollment Service (NDES)?

The Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco in the early 2000s. The first implementation was released with Windows Server 2003.

It may come as a surprise that NDES does not use Secure Socket Layer (SSL) for the HTTP connections in the default setting to this day. This fact is explained and evaluated in more detail below.

Continue reading „Sollte HTTPS für den Registrierungsdienst für Netzwerkgeräte (NDES) verwendet werden?“

Literature and other resources about public key infrastructures and Active Directory Certificate Services

The following is an overview of literature available on the market on the subject of public key infrastructures and Active Directory Certificate Services, as well as online resources from Microsoft and other PKI specialists.

Continue reading „Literatur und weitere Ressourcen über Public Key Infrastrukturen und Active Directory Certificate Services“

Certificate request basics via Certificate Enrollment Web Services (CEP, CES)

With Windows Server 2008 R2 and Windows 7, a new functionality for certificate enrollment has been introduced: The Certificate Enrollment Web Services, which are mapped by two server roles:

  • Certificate Enrollment Policy Web Service (CEP)
  • Certificate Enrollment Web Services (CES)

The following is a description of the background to these roles, how they work, and the possible deployment scenarios.

Continue reading „Grundlagen Zertifikatbeantragung über Certificate Enrollment Web Services (CEP, CES)“

Basics of manual and automatic certificate requests via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) with the MS-WCCE protocol

The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.

Continue reading „Grundlagen manuelle und automatische Zertifikatbeantragung über Lightweight Directory Access Protocol (LDAP) und Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) mit dem MS-WCCE Protokoll“

Public Key Infrastructures (PKI) basics

A public key infrastructure comprises all components (hardware, software, people and processes) required for the use of digital certificates. A PKI consists of one or more certification authorities (CA). The tasks of a PKI include:

  • Ensuring the authenticity of keys, i.e. establishing a traceable link between a key and its origin to prevent misuse.
  • Revocation of certificates, i.e., ensuring that decommissioned or compromised (e.g., stolen) keys can no longer be used.
  • Guarantee of liability (non-repudiation), i.e., the owner of a key cannot deny that it belongs to him.
  • Enforcement of policies, i.e. standardized procedures for the use of certificates.
Continue reading „Grundlagen Public Key Infrastrukturen (PKI)“

Cryptography basics

The need for the use for cryptography can be summarized under the notion of ensuring secure communication in the presence of untrusted third parties. The goals of cryptography are:

  1. To prevent data from falling into unauthorized hands (To ensure the confidentiality of data).
  2. Find out if data has been modified during transport (Ensure the integrity of the data).
  3. To clearly identify the source of the data (To ensure the authenticity of the data).
  4. Additionally, users or computers can authenticate themselves using cryptography.
Continue reading „Grundlagen Kryptographie“
en_USEnglish