| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 20 (0x80000014) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data. |
| Event text (German): | The currently selected KDC certificate was previously valid but is now invalid. No suitable replacement has been found. Smart card logon may not work properly if this issue is not resolved. Have the system administrator check the status of the domain's public key infrastructure (PKI). The chain status is included in the error data. |
Category: Certificate usage
Details of the event with ID 29 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 29 (0x8000001D) |
| Event log: | System |
| Event type: | Warning |
| Event text (English): | The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate. |
| Event text (German): | The Key Distribution Center (KDC) cannot find a suitable certificate for smart card logins, or the KDC certificate could not be verified. Smart card logins may not work properly until this issue is resolved. To resolve this issue, either verify the existing KDC certificate using certutil.exe, or register for a new KDC certificate. |
Details of the event with ID 120 of the source Microsoft-Windows-Kerberos-Key-Distribution-Center
| Event Source: | Microsoft Windows Kerberos Key Distribution Center |
| Event ID: | 120 (0x78) |
| Event log: | Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational |
| Event type: | Error |
| Event text (English): | The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication. Kdc Certificate Information: Issuer Name: %1 Serial Number: %2 Thumbprint: %3 Template: %4 Kerberos Error: %5 Validation Error: %6 |
| Event text (German): | The Key Distribution Center (KDC) could not verify the current KDC certificate. This KDC may not be able to be used for smart card or certificate authentication. KDC certificate information: Issuer name: %1 Serial number: %2 Fingerprint: %3 Template: %4 Kerberos error: %5 Verification error: %6 |
Configuring a Certificate Template for Domain Controllers
Even with a certificate template for domain controllers that is supposedly simple to configure, there are a few things to keep in mind.
Continue reading „Konfigurieren einer Zertifikatvorlage für Domänencontroller“Use the Onlineresponder (OCSP) with a SafeNet Hardware Security Module (HSM)
With the SafeNet Key Storage Provider it is not possible to set permissions on the private keys: the Microsoft Management Console (MMC) will crash.
Continue reading „Den Onlineresponder (OCSP) mit einem SafeNet Hardware Security Module (HSM) verwenden“Restrict extended key usage (EKU) for imported root certification authority certificates
A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.
In the event of a compromise of the certification authority, the damage is then limited to these Extended Key Usages. The smart card logon extended key usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.
Continue reading „Die erweiterte Schlüsselverwendung (Extended Key Usage, EKU) für importierte Stammzertifizierungstellen-Zertifikate einschränken“Manually assigning a Remote Desktop (RDP) certificate
Was a Remote desktop certificate requested manuallyit must then be assigned to the Remote Desktop session host.
Continue reading „Manuelles Zuweisen eines Remotedesktop (RDP) Zertifikats“Manually requesting a Remote Desktop (RDP) certificate
There are cases in which you cannot or do not want to obtain Remote Desktop certificates from a certificate authority in your own Active Directory forest, for example, if the system in question is not a domain member.
In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).
Continue reading „Manuelle Beantragung eines Remotedesktop (RDP) Zertifikats“Creation of a manual certificate request fails with error message "Expected INF file section name 0xe0000000".
Assume the following scenario:
- An information file for a manual certificate request is created.
- Creating the certificate request using the file fails with the following error message:
Expected INF file section name 0xe0000000 (INF: -536870912)Continue reading „Die Erstellung einer manuellen Zertifikatanforderung schlägt fehl mit Fehlermeldung „Expected INF file section name 0xe0000000““
Send a manually created certificate request to a certification authority
If a certificate request exists, for example after manual generation, in the form of a text file (usually with the extension .CSR or .REQ), it can be sent to the certification authority using on-board means.
Continue reading „Eine manuell erstellte Zertifikatanforderung an eine Zertifizierungsstelle senden“Chrome and Safari limit SSL certificates to one year validity
Apple recently announced that the Safari browser will only accept certificates with a validity of 398 days in the future, provided they were issued from September 1, 2020.
Mozilla and Google want to implement comparable behavior in their browsers. So the question is whether this change will have an impact on internal certificate authorities - i.e. whether in future internal SSL certificates will also have to follow these rules, as is the case, for example, with the enforcement of the RFC 2818 by Google was the case.
Continue reading „Chrome und Safari limitieren SSL Zertifikate auf ein Jahr Gültigkeit“More than one common name (CN) in the certificate
Nowadays rather a curiosity than really relevant in practice, but it does happen from time to time that you receive certificate requests that contain more than one common name in the subject. Even though it may seem surprising, this is quite possible and also RFC compliant.
Continue reading „Mehr als ein gemeinsamer Name (Common Name, CN) im Zertifikat“Checking the connection to the private key of a certificate (e.g. when using a hardware security module)
For a function test or during troubleshooting, it can be useful to check whether the private key of a certificate is usable. If the key is secured with a hardware security module (HSM), for example, there are significantly more dependencies and possibilities for errors than with a software key.
Continue reading „Überprüfen der Verbindung zum privaten Schlüssel eines Zertifikate (z.B. bei Einsatz eines Hardware Security Moduls)“Planning of certificate validity and renewal period of end entity certificates with autoenrollment
If autoenrollment is used, participants apply for and renew certificates independently.
Regarding the validity of the certificates and the period for their automatic renewal, there are two values that can be configured in the General tab of a certificate template:
- Validity period: Describes the overall validity of the issued certificate.
- Renewal period: Describes from which time window, viewed backwards from the expiration date of the certificate, automatic renewal is attempted for the first time (e.g. 6 weeks before expiration).
Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)
Assume the following scenario:
- Certificates for domain controllers are issued by an Active Directory integrated certificate authority (Enterprise CA)
- The certificate template used for this purpose was created by the user
- The issued certificates contain in the Subject Alternative Name (SAN) only the fully qualified computer name of the respective domain controller, but not the fully qualified name and the NETBIOS name of the domain
English 
Deutsch