Removing old certification authority certificates from the configuration of a certification authority

During the lifetime of a certification authority, certification authority certificates are renewed according to the planning for their life cycle. A new key pair can optionally be used here. The previous certification authority certificates expire or are revoked.

Expired certificate authority certificates can become a problem under certain circumstances if, for example, the associated private keys are stored on old hardware security modules (HSM) and these can only be migrated to new hardware with great difficulty.

In such a case, it may be useful to remove old certification authority certificates from the certification authority configuration.

Continue reading „Entfernen alter Zertifizierungsstellen-Zertifikate aus der Konfiguration einer Zertifizierungsstelle“

Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode

If you want to perform maintenance work such as Migration to another server or perform more extensive configuration changes requiring a functional test on a certification authority, you want to ensure that the certification authority service is running, but at the same time prevent certificates from being automatically requested from and issued by the certification authority during this phase.

Continue reading „Eine Active Directory integrierte Zertifizierungsstelle (Enterprise Certification Authority) in den Wartungsmodus versetzen“

Moving Network Device Enrollment Service (NDES) to another certification authority

Assume the following scenario:

  • There is one NDES instance installed on the network.
  • The Certification Authority issuing to NDES is to be changed.

The official statement on this is that NDES must be reinstalled and reconfigured in this case. However, this is not necessary. The necessary steps are described below.

Continue reading „Network Device Enrollment Service (NDES) auf eine andere Zertifizierungsstelle umziehen“

When installing a new certificate authority certificate, you get the error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)".

Assume the following scenario:

  • One installs a new certification authority certificate on the certification authority, either because the certification authority was newly installed, or because the certification authority certificate was renewed.
  • During the installation you get the following error message:
Cannot verify certificate chain. Do you wish to ignore the error and continue? The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)
Continue reading „Bei der Installation eines neuen Zertifizierungsstellenzertifikats erhält man die Fehlermeldung „The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)““

Installing Remote Server Administration Tools for Active Directory Certificate Services on Windows 10 version 1809 and later

Since Windows 10 version 1809, the remote server management tools can no longer be found as a standalone download, but are part of Features on Demand.

Continue reading „Remoteserver-Verwaltungstools für Active Directory Certificate Services auf Windows 10 ab Version 1809 installieren“

Compacting (defragmenting) the certification authority database

Sometimes it happens that the database of the certification authority becomes extremely large. Perhaps a large number of certificate requests have arrived unnoticed and have been rejected, or perhaps there are many certificates in the database that have been issued twice. After the corresponding entries have been deleted from the Certification Authority database, the space now gained must (can) still be freed by compacting this in the server's file system.

Continue reading „Kompaktieren (Defragmentieren) der Zertifizierungsstellen-Datenbank“

Viewing the certificate authority database revocation list table

By default, the certification authority stores all revocation lists that have not yet expired in the certification authority database.

Under certain circumstances, e.g. due to a misconfigured script, a large number of blacklists are stored in the database in this way, which can lead to a corresponding growth of the database (e.g. if large blacklists are recreated very often).

Continue reading „Einsicht in die Sperrlisten-Tabelle der Zertifizierungsstellen-Datenbank“
en_USEnglish