List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known

As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.

Below is a list of use cases for which I am aware of compatibility.

Continue reading „Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist“

Limits of Microsoft Active Directory Certificate Services

Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.

People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.

What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.

Continue reading „Grenzen der Microsoft Active Directory Certificate Services“

Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““

Classification of ADCS components in the Administrative Tiering Model

If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.

Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 401 "Unauthorized: Access is denied due to invalid credentials."

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The user's login to CAWE fails with HTTP code 401 "Unauthorized: Access is denied due to invalid credentials.":
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit HTTP Fehlercode 401 „Unauthorized: Access is denied due to invalid credentials.““

Requesting certificates via the Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 403 "Forbidden: Access is denied."

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The user's login to CAWE fails with HTTP code 403 "Forbidden: Access is denied.":
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit HTTP Fehlercode 403 „Forbidden: Access is denied.““

Requesting certificates via the Certificate Authority Web Enrollment (CAWE) fails with error message "No certificate templates could be found.", or the desired certificate template is not displayed

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to submit an existing certificate request to the certification authority via the certification authority web enrollment.
  • The desired certificate template is missing from the list of selectable certificate templates, or the list is completely empty.
  • If the list is empty, the following error message is also issued:
No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit Fehlermeldung „No certificate templates could be found.“, oder die gewünschte Zertifikatvorlage wird nicht angezeigt“

Perform functional test for certification authority web registration (CAWE)

After installing and configuring Certificate Authority Web Enrollment (CAWE), it is essential to test the component extensively before releasing it to users. Below are instructions for a detailed functional test.

Continue reading „Funktionstest durchführen für die Zertifizierungsstellen-Webregistrierung (CAWE)“

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 500 "Internal Server error".

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The request takes a very long time and finally fails with HTTP code 500 "Internal server error":
There is a problem with the resource you are looking for, and it cannot be displayed.
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit HTTP Fehlercode 500 „Internal Server error““

Configure the Certificate Authority Web Enrollment (CAWE) for use with a domain account.

The following describes how to set up Certificate Authority Web Enrollment (CAWE) so that the service runs under a domain account.

Continue reading „Die Zertifizierungsstellen-Webregistrierung (CAWE) für die Verwendung mit einem Domänenkonto konfigurieren“

Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "ERROR_ACCESS_DENIED".

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The request fails with the following error message:
Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

In the details of the error message you will find the following note:

CCertRequest::Submit: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit Fehlercode „ERROR_ACCESS_DENIED““

Configure Certificate Authority Web Enrollment (CAWE) for use with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CAWE with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Die Zertifizierungsstellen-Webregistrierung (CAWE) für die Verwendung mit einem Group Managed Service Account (gMSA) konfigurieren“

Windows security permissions required for Certificate Authority Web Enrollment (CAWE)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will impact Certificate Authority Web Enrollment (CAWE).

Continue reading „Benötigte Windows-Sicherheitsberechtigungen für die Zertifizierungsstellen-Webregistrierung (CAWE)“

Enabling Secure Sockets Layer (SSL) for Certificate Authority Web Enrollment (CAWE).

In the default configuration, Certificate Authority Web Enrollment (CAWE) accepts only unencrypted connections via HTTP. It is recommended that the CAWE be configured for HTTP over TLS (HTTPS) to make network traffic interception more difficult. Instructions are provided below.

Continue reading „Secure Sockets Layer (SSL) für die Zertifizierungsstellen-Webregistrierung (CAWE) aktivieren“
en_USEnglish