Basics: Name Constraints

Name restrictions are a part of the X.509 standard and in the RFC 5280 described. They are a tool that can be used within the qualified subordination can be used to control the validity range of a certification authority certificate in a fine-grained manner.

Continue reading „Grundlagen: Namenseinschränkungen (Name Constraints)“

Token for CDP and AIA configuration of a certification authority

The following is an overview of the tokens for the CDP and AIA configuration of a certification authority.

Continue reading „Token für die CDP- und AIA- Konfiguration einer Zertifizierungsstelle“

Installing the role files for the certification authority

Since Windows Server 2008, the installation of the Certification Authority role consists of two steps:

  • Installing the role files. This step is described below.
  • Configuration of the Certification Authority role.
Continue reading „Installation der Rollen-Dateien für die Zertifizierungsstelle“

Description of the necessary configuration settings for the "Common PKI" certificate profile

The following is a description of what configuration settings are necessary for a certificate hierarchy based on Active Directory Certificate Services to be compliant with the "Common PKI" standard.

Continue reading „Beschreibung der notwendigen Konfigurationseinstellungen für das „Common PKI“ Zertifikatprofil“

Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates

A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.

In the event of a compromise of the certification authority, the damage is then (at least) limited to the defined extended key usages.

The Smart Card Logon Extended Key Usage, which is of interest for many attacks (in conjunction with the certification authority's membership in NTAuthCertificates) would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

Continue reading „Grundlagen: Einschränken der erweiterten Schlüsselverwendung (Extended Key Usage, EKU) in Zertifizierungsstellen-Zertifikaten“

What key lengths should be used for certificate authorities and certificates?

When planning a public key infrastructure, the question naturally arises as to which key lengths should be selected for certification authority and end certificates.

Continue reading „Welche Schlüssellängen sollten für Zertifizierungsstellen und Zertifikate verwendet werden?“

When installing a new certificate authority certificate, you get the error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)".

Assume the following scenario:

  • One installs a new certification authority certificate on the certification authority, either because the certification authority was newly installed, or because the certification authority certificate was renewed.
  • During the installation you get the following error message:
Cannot verify certificate chain. Do you wish to ignore the error and continue? The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
Continue reading „Bei der Installation eines neuen Zertifizierungsstellenzertifikats erhält man die Fehlermeldung „The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)““

Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

  • An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
  • The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
  • Publishing the certificate revocation list fails with the following error message:
Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)
Continue reading „Die Veröffentlichtung einer Zertifikatsperrliste (CRL) schlägt fehl mit der Fehlermeldung „Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)““

Publishing a certificate revocation list (CRL) fails with the error message "Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)".

Assume the following scenario:

  • An attempt is made to publish a new certificate revocation list (CRL) on a certification authority.
  • The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
  • Publishing the certificate revocation list fails with the following error message:
Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)
Continue reading „Die Veröffentlichtung einer Zertifikatsperrliste (CRL) schlägt fehl mit der Fehlermeldung „Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)““

Removing ADCS-specific extensions from certificates

When using Active Directory Certificates, it is noticeable that there are certain extensions in the certificates of the certification authorities and the certificates they issue that are not defined in the relevant RFCs and are specific to AD CS.

Continue reading „Entfernen der ADCS-spezifischen Erweiterungen aus Zertifikaten“

Firewall rules required for Active Directory Certificate Services

Implementing an Active Directory integrated certification authority often requires planning the firewall rules to be created on the network. The following is a list of the required firewall rules and any pitfalls.

Continue reading „Benötigte Firewallregeln für Active Directory Certificate Services“

Description of the EDITF_ADDOLDKEYUSAGE flag

When installing a subordinate certificate authority, you may encounter the following behavior:

  • One requests a Key Usage extension that is marked as critical, for example, or does not include DigitalSignature.
  • However, the certificate issued by the parent certificate authority includes DigitalSignature, and the Key Usage extension is marked as non-critical.
  • The parent certification authority is a standalone certification authority, i.e. without Active Directory integration.
Continue reading „Beschreibung des Flags EDITF_ADDOLDKEYUSAGE“
en_USEnglish