Category: Certificate usage

What impact does incorrect revocation information of a certification authority certificate have on the certification authority?

The following describes the effects on certification authority operation if the revocation information for one of the certification authority's certificates cannot be retrieved.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss haben fehlerhafte Sperrinformationen eines Zertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

What impact does the revocation of the trust status of a root certification authority certificate have on the certification authority?

The following describes the impact on certification authority operations if one of the root certification authority certificates from which one of the certification authority certificates is derived has its trust status revoked, or never had it.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Entzug des Vertrauensstatus eines Stammzertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

The certification authority service does not start and throws the error message "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)““

Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".

Assume the following scenario:

  • A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority)
  • The certificate request fails with the following error message:
The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““

Certificate request fails with error message "Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)".

Assume the following scenario:

  • A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate template is set up for archiving private keys.
  • The certificate request fails with the following error message:
Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)““

Description of the necessary configuration settings for the "Common PKI" certificate profile

The following is a description of what configuration settings are necessary for a certificate hierarchy based on Active Directory Certificate Services to be compliant with the "Common PKI" standard.

Continue reading „Beschreibung der notwendigen Konfigurationseinstellungen für das „Common PKI“ Zertifikatprofil“

Enabling Secure Sockets Layer (SSL) for Certificate Authority Web Enrollment (CAWE).

In the default configuration, Certificate Authority Web Enrollment (CAWE) accepts only unencrypted connections via HTTP. It is recommended that the CAWE be configured for HTTP over TLS (HTTPS) to make network traffic interception more difficult. Instructions are provided below.

Continue reading „Secure Sockets Layer (SSL) für die Zertifizierungsstellen-Webregistrierung (CAWE) aktivieren“

Use Authentication Mechanism Assurance (AMA) to secure administrative account logins.

Authentication Mechanism Assurance (AMA) is a feature designed to ensure that a user is a member of a security group only if they can be shown to have logged in using a strong authentication method (i.e., a smart card). If the user logs in via username and password instead, he or she will not have access to the requested resources.

Originally intended for access to file servers, however, AMA can also be used (with some restrictions) for administrative logon. Thus, for example, it would be conceivable for a user to be unprivileged when logging in with a username and password, and to have administrative rights when logging in with a certificate.

Continue reading „Verwenden von Authentication Mechanism Assurance (AMA) für die Absicherung der Anmeldung administrativer Konten“

Signing in via smart card fails with error message "Signing in with a security device isn't supported for your account."

Assume the following scenario:

  • A user has a Smartcard Logon certificate and logs on to the Active Directory domain with it.
  • The login fails. The following error message is returned to the user's computer:
Signing in with a security device isn't supported for your account. For more info, contact your administrator.
Continue reading „Die Anmeldung via Smartcard schlägt fehl mit Fehlermeldung „Signing in with a security device isn’t supported for your account.““

Deleting a Manually Configured Certificate Request Policy (Enrollment Policy)

When working with Certificate Enrollment Web Services and manually entering certificate enrollment policies on client computers, one encounters the phenomenon that there is no way to edit or delete them in the Certificate Management Console.

Continue reading „Löschen einer manuell konfigurierten Zertifikatbeantragungs-Richtlinie (Enrollment Policy)“

Basics of manual and automatic certificate requests via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) with the MS-WCCE protocol

The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.

Continue reading „Grundlagen manuelle und automatische Zertifikatbeantragung über Lightweight Directory Access Protocol (LDAP) und Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) mit dem MS-WCCE Protokoll“

Manually running the autoenrollment process

By default, all domain members automatically replicate the Public Key Services object he Active Directory forest through the autoenrollment process. The triggers for this are:

  • When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
  • By timer every 8 hours.
  • When updating group policies, assuming there has been a change.

If you do not want to wait for the autoenrollment to be triggered automatically, you can start it manually. The different ways to run the autoenrollment process are described below.

Continue reading „Manuelles Ausführen des Autoenrollment Prozesses“

Associate a universal security group with an Object Identifier (OID) in the Active Directory directory service (Authentication Mechanism Assurance).

Authentication Mechanism Assurance (AMA) provides the ability to tie membership in a security group to enrollment with a smart card certificate containing a specific Object Identifier (OID).

If the user does not log in with the smartcard certificate, but with user name and password, he is also not a member of the security group.

The following describes how to establish the connection between the certificate and the security group.

Continue reading „Eine universelle Sicherheitsgruppe mit einem Object Identifier (OID) im Active Directory Verzeichnisdienst verbinden (Authentication Mechanism Assurance)“

Configuring a Secure Socket Layer (SSL) Certificate Template for Web Server

Below is a guide to configuring a web server template with recommended settings.

Continue reading „Konfigurieren einer Secure Socket Layer (SSL) Zertifikatvorlage für Web Server“

Allowed Relative Distinguished Names (RDNs) in the Subject of Issued Certificates

In principle, the RFC 5280 the use of arbitrary strings in the subject string of a certificate. Common fields in the standard are X.520 described. The Length restrictions are also recommended by the ITU-T. The abbreviations commonly used today are mainly taken from the RFC 4519.

However, Microsoft Active Directory Certificate Services only allows certain RDNs by default.

The following Relative Distinguished Names (RDNs) are accepted by the Active Directory Certificate Services (ADCS) certificate authority by default:

Continue reading „Erlaubte Relative Distinguished Names (RDNs) im Subject Distinguished Name (DN) ausgestellter Zertifikate“
en_USEnglish
de_DEDeutsch en_USEnglish