Below is a description of the options available for executing PowerShell script files, and what is possible by signing them.
Continue reading „Codesignatur für PowerShell Scriptdateien“Category: Certificate usage
Certificate request fails with error message "The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)".
Assume the following scenario:
- A certificate is requested from an Active Directory integrated certification authority (Enterprise Certification Authority).
- The request fails with the following error message:
An error occurred while enrolling for a certificate. The certificate request could not be submitted to the certification authority. Url: CA02.intra.adcslabor.de\ADCS Lab Issuing CA 1 Error: The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)““
Automatic renewal of manually requested certificates without intervention of a certificate manager
Assuming a use case is implemented for certificates where users specify the identity contained in the certificate in the certificate request, and this requires manual intervention by the certificate managers, the question arises as to how to proceed when the certificates expire or the certificate template is moved to another certification authority in order to minimize tickets at the help desk and thus the resulting work for the certificate managers.
Continue reading „Automatische Erneuerung manuell beantragter Zertifikate ohne Eingriff eines Zertifikatmanagers“Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Internal error." appears.
Assume the following scenario:
- A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
- The message cannot be opened.
- When opening the message, the following error message is displayed:
Unfortunately, there is a problem opening this item. This may be temporary. If this error occurs again, you should restart Outlook. Error in the underlying security system. Internal error.Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Interner Fehler.““
S/MIME with the Outlook app for Apple IOS and Android only possible with devices managed via Intune
If you want to make S/MIME certificates available to your users on the smartphone as well, you may be surprised to discover that this is not possible with the Outlook app unless you also use Microsoft Intune as a management solution for the devices.
Microsoft has published in an article "Sensitivity labeling and protection in Outlook for iOS and Android" now clarified that this is due to the respective system architecture.
Continue reading „S/MIME mit der Outlook App für Apple IOS und Android nur mit über Intune verwalteten Geräten möglich“What does the "Enable Certificate Privacy" option mean when exporting certificates?
With Windows Server 2016 and Windows 10, a new "Enable Certificate Privacy" option has been implemented for exporting private key certificates via the Microsoft Management Console (MMC).
When exporting private key certificates, the certificate is exported to a PKCS#12 (.PFX) file.
Continue reading „Was bedeutet die Option „Enable Certificate Privacy“ beim Zertifikatexport?“Google Chrome reports error code "ERR_SSL_PROTOCOL_ERROR" when calling a web page
Assume the following scenario:
- A web page is accessed using Google Chrome.
- The connection setup fails with the following error message:
This website cannot provide a secure connection test.intra.adcslabor.com has sent an invalid response. Try to run the Windows network diagnostics. ERR_SSL_PROTOCOL_ERRORContinue reading „Google Chrome meldet Fehlercode „ERR_SSL_PROTOCOL_ERROR“ beim Aufruf einer Webseite“
Treatment of expired certificates when issuing certificate revocation lists
By default, the Microsoft Certification Authority removes the serial numbers of expired certificates from the revocation lists it issues.
However, there are some exceptions to this.
Continue reading „Behandlung abgelaufener Zertifikate bei der Ausstellung von Zertifikatsperrlisten“List of use cases for certificates that require specific Cryptographic Service Providers (CSP) or Key Storage Providers (KSP).
Windows Server 2008, along with NSA Suite B algorithms (also known as Cryptography Next Generation, CNG) with Key Storage Providers, introduced a new, modern interface for generating, storing, and using private keys in the Windows ecosystem.
In most cases, it does not matter which CSP or KSP is used for certificates. However, some applications will not work or will not work correctly if the wrong provider is chosen.
Below is a list of use cases I know of for certificates that only work with a specific Cryptographic Service Provider (CSP) or Key Storage Provider (KSP).
Continue reading „Liste der Use Cases für Zertifikate, die bestimmte Cryptographic Service Provider (CSP) oder Key Storage Provider (KSP) benötigen“Inspect TLS traffic with Wireshark (decrypt HTTPS)
When troubleshooting, it can be very helpful to view encrypted SSL connections in order to inspect the messages within. There is a relatively simple way to do this with Wireshark.
Continue reading „TLS-Datenverkehr mit Wireshark inspizieren (HTTPS entschlüsseln)“HTTP error code 403 when logging on to Internet Information Services (IIS) using client certificate after renewing web server certificate
Assume the following scenario:
- A user or application accesses a web page or web application running on an Internet Information Services (IIS) web server.
- The web server is configured to request a client certificate for the requested resource.
- Although there is a valid client certificate on the client, the error code 403 Forbidden is returned immediately. The user is not prompted (when calling the page with a browser) to select a certificate.
- The web server certificate was recently renewed and the IIS SSL binding was configured accordingly via the IIS Manager.
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.Continue reading „HTTP Fehlercode 403 bei Anmeldung mittels Client-Zertifikat an Internet Information Services (IIS) nach Erneuerung des Webserver-Zertifikats“
Certificate request fails with error message "The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)".
Assume the following scenario:
- A user sends a certificate request to a certificate authority.
- The certificate request fails with the following error message:
The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED) Denied by Policy ModuleContinue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)““
Microsoft Outlook: Find out recipient certificates for S/MIME encrypted mails
For troubleshooting e-mail messages encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME), the encrypted part of a message can be exported. See article "Microsoft Outlook: Extracting an encrypted S/MIME message from an email„.
To find out with which certificates a message has been encrypted, you can proceed as follows...
Continue reading „Microsoft Outlook: Empfänger-Zertifikate bei S/MIME verschlüsselten Mails herausfinden“Microsoft Outlook: Extracting an encrypted S/MIME message from an email
The encrypted part of an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME) is always contained in a file called "smime.p7m" as an attachment to the mail.
Outlook does not display this attachment, but it can be analyzed using the free Microsoft MFCMAPI extracted from the e-mail.
Continue reading „Microsoft Outlook: Extrahieren einer verschlüsselten S/MIME Nachricht aus einer E-Mail“Certificate request fails with error message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)."
Assume the following scenario:
- An attempt is made to request a certificate from a certificate authority (Enterprise CA) integrated into Active Directory for a user or computer.
- The certificate request fails with the following error message:
The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE).Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE).““
English 
Deutsch