Category: Certificate usage

Basics: Automatic Certificate Management Environment (ACME)

The ACME protocol was developed by the operators of the project Let's Encrypt designed to support the exhibition of Web server certificates to automate. It is specified in RFC 8555.

The goal is to make the process of proving ownership of the DNS resource (IP addresses cannot currently be identified, but this is planned in the future), but not of the person or organization behind it, in order to subsequently be able to obtain a web server certificate without human interaction.

Continue reading „Grundlagen: Automatic Certificate Management Environment (ACME)“

Requesting certificates with elliptic curve based keys fails when using Microsoft Platform Crypto Provider

Assume the following scenario:

Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

On Windows Server 2016, the error message "No provider was specified for the store or object. 0x80092006 (-2146885626 CRYPT_E_NO_PROVIDER)" is issued with otherwise identical behavior.

Continue reading „Die Beantragung von Zertifikaten mit auf elliptischen Kurven basierenden Schlüsseln schlägt fehl, wenn der Microsoft Platform Crypto Provider verwendet wird“

Basics: Elliptic curves with regard to their use in the public key infrastructure

With Windows Vista and Windows Server 2008, the Cryptography API: Next Generation (CNG) was introduced into the Windows systems.

This term refers to a collection of modern cryptographic functions. Among other things, the CNG enables the use of certificates that use keys based on elliptic curves (also called Elliptic Curve Cryptography, ECC) with the Microsoft Certification Authority and the Windows operating system.

Continue reading „Grundlagen: Elliptische Kurven in Hinsicht auf ihre Verwendung in der Public Key Infrastruktur“

Microsoft Outlook: Signed e-mail messages are rejected by the receiving mail server with error message "Invalid S/MIME encrypted message."

Assume the following scenario:

  • A user sends an e-mail message signed with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The sender uses Microsoft Outlook for Macintosh.
  • The receiving mail server rejects the message and sends back a Non-Delivery Report (NDR):
550 5.6.0 M2MCVT.StorageError.Exception: ConversionFailedException - , Content conversion: Invalid S/MIME encrypted message.; storage error in content conversion.
Continue reading „Microsoft Outlook: Signierte E-Mail Nachrichten werden vom empfangenden Mailserver abgelehnt mit Fehlermeldung „Invalid S/MIME encrypted message.““

Cause research: Snipping Tool and other components in Windows 11 no longer usable due to expired certificate

Today went through many Mediathat some apps and components in the recently released Windows 11 no longer work since 01.11.2021 and that the cause for this is a certificate that expired on 31.10.2021. In the meantime Microsoft has pointed out in a blogpost and also a patch for some affected components published.

Unfortunately, none of the available sources provided detailed information about what exactly the problem was. So let's get to the bottom of it ourselves.

Continue reading „Ursachenforschung: Snipping Tool und weitere Komponenten in Windows 11 wegen abgelaufenem Zertifikat nicht mehr benutzbar“

Manual assignment of a Remote Desktop certificate fails with error message "Invalid parameter".

Assume the following scenario:

Set-WMIInstance : Invalid parameter
 At line:1 char:1
 Set-WMIInstance -path $TerminalServicesConfig.__path -argument @{SSLC ...
 ~~~~~~~~~~~~~~~~~ CategoryInfo : InvalidOperation: (:) [Set-WmiInstance], ManagementException
 FullyQualifiedErrorId : SetWMIManagementException,Microsoft.PowerShell.Commands.SetWmiInstance
Continue reading „Die manuelle Zuweisung eines Remotedesktop-Zertifikats schlägt fehl mit Fehlermeldung „Invalid parameter““

Code signatures of Appx packages via SignTool.exe fail with error code 0x8007000b (ERROR_BAD_FORMAT)

Assume the following scenario:

  • An Appx package is to be signed.
  • For this purpose the SignTool.exe used.
  • The code signing certificate used was recently renewed.
  • The signing process with the new code signing certificate fails with the following error message:
"Error: SignerSign() failed." (-2147024885/0x8007000b)
Continue reading „Codesignaturen von Appx Paketen per SignTool.exe schlagen fehl mit Fehlercode 0x8007000b (ERROR_BAD_FORMAT)“

Issue certificates with shortened validity period

Sometimes it is necessary to issue certificates with a shorter validity period than configured in the certificate template. Therefore, you may not want to reconfigure the certificate template right away or create another certificate template.

Continue reading „Zertifikate mit verkürzter Gültigkeitsdauer ausstellen“

Root certificates are imported on domain members into the certificate store for intermediate certificate authorities

Some will have noticed that the certificate store for intermediate CAs usually also contains certificates for root CAs.

As a rule, this behavior is not critical. In certain cases however, this can also cause problems with applications.

Continue reading „Stammstellen-Zertifikate werden auf Domänenmitgliedern in den Zertifikatspeicher für Zwischenzertifizierungsstellen importiert“

Basics: The Key Usage Certificate Extension

Certificate extensions were introduced with version 3 of the X.509 standard. The Key Usage extension is an optional certificate extension that can be used in the RFC 5280 is defined and is used to limit the allowed uses for a key.

Continue reading „Grundlagen: Die Key Usage Zertifikaterweiterung“

Establish a mapping from a user certificate to the associated computer

Assume the following scenario:

  • A user's computer is stolen or infected with malware.
  • The integrity of certificates located on the computer can no longer be guaranteed.
  • The certificates of the user(s) that were requested on this computer must be revoked.
  • However, one would like to avoid revoking all certificates of a user.
  • Thus, a connection must be established between the user's certificates and the computer on which they were requested.

If the certificates were issued by Autoenrollment requested, we can take advantage of the fact that a corresponding attribute was part of the original certificate request, and that the certificate request is stored in the certificate authority database along with the certificate.

Continue reading „Eine Zuordnung von einem Benutzerzertifikat zum dazugehörigen Computer herstellen“

No remote desktop logon possible from outside the Active Directory forest

Assume the following scenario:

  • You want to establish a remote desktop connection.
  • The client computer from which the connection is made is not a member of the same Active Directory forest as the target computer.
  • The connection fails with the following error message:
A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.
Continue reading „Keine Anmeldung per Remotedesktop von außerhalb der Active Directory Gesamtstruktur möglich“

Electronic data exchange with the German Pension Insurance

Recently, together with the B-I-T GmbH Information and processes from Hanover worked on implementing the electronic data exchange with the statutory health insurance funds and the pension insurance from one application.

Here, a combination of authenticated data transmission of both signed and encrypted messages is used. PKI technologies are used in all these cases.

The message format used is here documented.

Continue reading „Elektronischer Datenaustausch mit der Deutschen Rentenversicherung“

Details of the event with ID 1073 of the source Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event Source:Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:1073 (0xC0000431)
Event log:System
Event type:
Event text (English):The msPKI-Cert-Template-OID column for the template-based certificate %1 returned an unknown data type %2.
Event text (German):The msPKI-Cert-Template-OID column for template-based certificate %1 returned unknown data type %2.
Continue reading „Details zum Ereignis mit ID 1073 der Quelle Microsoft-Windows-TerminalServices-RemoteConnectionManager“
en_USEnglish
de_DEDeutsch en_USEnglish