Often, before submitting a certificate request to a certification authority - or before issuing the certificate - you want to verify that it contains the desired values.
The following describes how to achieve this.
Continue reading „Eine Zertifikatanforderung (CSR) inspizieren“Sometimes it is necessary to change the Subject Distinguished Name (also called Subject, Subject DN, Applicant or Subject) of a certificate request before issuing the certificate.
Under certain circumstances, this is certainly possible, as described below.
Continue reading „Den Subject Distinguished Name (DN) einer Zertifikatanforderung (CSR) nachträglich verändern“Authentication Mechanism Assurance (AMA) provides the ability to tie membership in a security group to enrollment with a smart card certificate containing a specific Object Identifier (OID).
If the user does not log in with the smartcard certificate, but with user name and password, he is also not a member of the security group.
The following describes how to generate a certificate template for use with Authentication Mechanism Assurance.
Continue reading „Konfigurieren einer Zertifikatvorlage für Authentication Mechanism Assurance (AMA)“If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate will not contain an issuance policy.
If you want to include the wildcard issuance policy (All Issuance Policies) in the certification authority certificate, you must proceed as follows:
Continue reading „Die Wildcard Ausstellungsrichtlinie (All Issuance Policies) in ein Zertifizierungsstellen-Zertifikat aufnehmen“If you install an issuing CA and do not explicitly request an issuance policy, the resulting CA certificate does not contain an issuance policy.
If you want to include the issuance policies for Trusted Platform (TPM) Key Attestation in the certification authority certificate, you must proceed as follows.
Continue reading „Die Ausstellungsrichtlinien (Issuance Policies) für Trusted Platform (TPM) Key Attestation in ein Zertifizierungsstellen-Zertifikat aufnehmen“If you want to use the Trusted Platform Module (TPM) key attestation, you have the option of attesting the TPM via the endorsement certificate (EkCert), among other things. The following describes how to obtain this information.
Continue reading „Ermitteln und Exportieren eines Trusted Platform Module (TPM) Endorsement Zertifikats“If you want to use the Trusted Platform Module (TPM) key attestation, you have the option of attesting the TPM via the endorsement key (EkPub), among other things. The following describes how to obtain this information.
Continue reading „Die Prüfsumme (Hash) eines Trusted Platform (TPM) Endorsement Key ermitteln“The following is a list of commonly used extended key usage and issuance policies that are used repeatedly in practice to restrict certificate authority certificates.
Continue reading „Häufig verwendete erweiterte Schlüsselverwendungen (Extended Key Usages) und Ausstellungsrichtlinien (Issuance Policies)“Assume the following scenario:
The revocation status of the authentication certificate could not be determined.Continue reading „Die Anmeldung via Smartcard schlägt fehl mit Fehlermeldung „The revocation status of the authentication certificate could not be determined.““
Once NDES has been in operation for some time (typically two years), one is faced with the challenge of renewing the Registration Authority (RA) certificates. Unfortunately, this process is not necessarily solved intuitively and is therefore described in more detail in this article.
Continue reading „Die Registration Authority (RA) Zertifikate für den Registrierungsdienst für Netzwerkgeräte (NDES) erneuern“Assume the following scenario:
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.““
For test environments, it is often helpful to be able to work with smartcards. Below is a brief guide on how to set up a virtual smartcard in a Hyper-V guest using a virtualized Trusted Platform Module (TPM).
Continue reading „Erstellen einer virtuellen Smartcard in einem Hyper-V Gastsystem“In order for domain controllers to process smart card logins, they need certificates that provide this function.
Continue reading „Domänencontroller-Zertifikatvorlagen und Smartcard Anmeldung“There may be cases where it is necessary to install the standard Microsoft certificate templates before installing the first Active Directory integrated certificate authority (Enterprise Certification Authority), or to reinstall the templates, for example because they have been corrupted or otherwise modified.
Continue reading „(Neu-) Installieren der Microsoft Standard Zertifikatvorlagen“In simple terms, public key cryptography can be reduced to the assumption that the private part of each key pair is known only to its owner.
A certification authority is responsible for the correct identification of users, computers or resources. Its issued certificates are therefore granted a trust status because all participants assume that their private key is known only to it.
If an attacker succeeds in gaining knowledge of a certification authority's private key, or at least Perform signatures using the private key, the integrity of the certification authority is no longer guaranteed.
Continue reading „Angriffsvektor auf den Active Directory Verzeichnisdienst über den Smartcard Logon Mechanismus“
English 
Deutsch