| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 15 (0xF) |
| Event log: | Application |
| Event type: | Error |
| Event text (English): | Active Directory Certificate Services did not start: Version does not match certif.dll. |
| Event text (German): | The Active Directory certificate services have not been started: The version does not match "certif.dll". |
Category: Certification Authority
Details of the event with ID 16 of the source Microsoft-Windows-CertificationAuthority
| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 16 (0x10) |
| Event log: | Application |
| Event type: | Error |
| Event text (English): | Active Directory Certificate Services did not start: Unable to initialize OLE: %1. |
| Event text (German): | Active Directory certificate services failed to start: OLE could not be initialized: %1. |
Details of the event with ID 5 of the source Microsoft-Windows-CertificationAuthority
| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 5 (0x5) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_BAD_REGISTRY |
| Event text (English): | Active Directory Certificate Services could not find required registry information. The Active Directory Certificate Services may need to be reinstalled. |
| Event text (German): | The required registry information could not be found. The Active Directory certificate services may need to be reinstalled. |
Change the signing algorithm of a certification authority hierarchy without issuing new certification authority certificates
Sometimes it may be necessary to change the Signature algorithm to subsequently change an already installed certification authority hierarchy.
This is often the case because one has installed them with PKCS#1 version 2.1 and unfortunately finds out afterwards that not all applications are compatible with the resulting certificates, and thus cannot use the hierarchy.
While it is relatively easy to change the signature algorithm for certificates issued by a certification authority, it is more difficult to do so for certification authority certificates.
Continue reading „Den Signaturalgorithmus einer Zertifizierungsstellen-Hierarchie ändern, ohne neue Zertifizierungsstellen-Zertifikate auszustellen“The certification authority service does not start and throws the error message "The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)".
Assume the following scenario:
- A certification authority is implemented in the network.
- The certification authority service does not start.
- When trying to start the Certification Authority service, you get the following error message:
The parameter is incorrect. 0x57 (WIN32: 87 ERROR_INVALID_PARAMETER)Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)““
Configuring PKCS#1 Version 2.1 for Issued Certificates and Revocation Lists of a Certification Authority
Sometimes it may be necessary to change the Signature algorithm of an already installed certification authority subsequently.
Continue reading „PKCS#1 Version 2.1 für ausgestellte Zertifikate und Sperrlisten einer Zertifizierungsstelle konfigurieren“Deploy PKCS#1 version 2.1 for a root CA (owned and issued certificates)
Before the Installation of a standalone root certification authority (Standalone Root CA) the question arises as to which cryptographic algorithms should be used.
Continue reading „PKCS#1 Version 2.1 für eine Stammzertifizierungsstelle (Root CA) einsetzen (eigenes und ausgestellte Zertifikate)“Basics: key algorithms, signature algorithms and signature hash algorithms
When planning a public key infrastructure, the question arises as to which cryptographic algorithms it should use.
The main principles are explained below.
Continue reading „Grundlagen: Schlüsselalgorithmen, Signaturalgorithmen und Signaturhashalgorithmen“Prevent smartcard logon to the network
Installing Active Directory Certificate Services in the default configuration automatically configures the environment to accept smart card logins from domain controllers.
Therefore, if the use of smart card logins is not desired, it makes sense to disable the functionality so that, in the event the certificate authority is compromised, it can not to jeopardize the Active Directory.
Continue reading „Smartcard Anmeldung im Netzwerk unterbinden“Disabling the generation of cross-certification authority certificates on a root certification authority
Root certification authorities (root CA) generate so-called cross-certification authority certificates (cross signing) when the certification authority certificate is renewed.
Sometimes problems may occur in this process, as shown for example in the article "Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)"." described.
In such a case, one may want to stop the creation of the cross-certification authority certificates.
Continue reading „Deaktivieren der Erzeugung der Kreuzzertifizierungsstellen-Zertifikate auf einer Stammzertifizierungsstelle“Umlauts in certification authority certificates
Internationalized Domain Names (IDNs) have been officially supported since Windows Server 2012 as part of the Certificate Authority and associated components.
However, if you want to use them in your certification authority certificates, there are some specifics to consider.
Continue reading „Umlaute in Zertifizierungsstellen-Zertifikaten“How are the compatibility settings for certificate templates technically mapped?
Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.
In the following, this function is described in more detail, as well as possible effects in practice.
Continue reading „Wie sind die Kompatibilitätseinstellungen für Zertifikatvorlagen technisch abgebildet?“Overview of the availability of options when changing the compatibility settings of a certificate template
Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.
The following is an overview of which options become available in each case when the compatibility settings for the certificate authority and/or the certificate recipients are changed.
Continue reading „Übersicht über die Verfügbarkeit von Optionen bei Veränderung der Kompatibilitätseinstellungen einer Zertifikatvorlage“In-Place Upgrade of a Certification Authority from Windows Server 2012 R2 or 2016 to Windows Server 2019
At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.
In-Place Upgrade of a Certification Authority from Windows Server 2012 SP2 or 2012 R2 to Windows Server 2016
At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.
English 
Deutsch