At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.
Category: Certification Authority
In-Place Upgrade of a Certification Authority from Windows Server 2008 SP2 to Windows Server 2012
At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.
In-Place Upgrade of a Certification Authority from Windows Server 2008 R2 to Windows Server 2012 R2
At the latest within the scope of the End of product support by the manufacturer (Microsoft) The question arises as to whether the Certification Authority should be Migration to another server to an up-to-date operating system, or performs an in-place upgrade. The latter process is described below.
Remote desktop connection no longer possible after in-place upgrade of Windows Server operating system
Assume the following scenario:
- An in-place upgrade of the certification authority's operating system is performed.
- After the upgrade I can no longer log in via Remote Desktop. The connection fails with the following error message:
An authentication error has occurred. The function requested is not supported. Remote Computer: 192.168.1.149 This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660
In German:
Authentication error. The requested function is not supported. Remote computer: 192.168.1.149 The cause could be a CredSSP Encryption Oracle defense. For more information, see https://go.microsoft.com/fwlink/?linkid=866660Continue reading „Keine Remotedesktopverbindung mehr möglich nach In-Place Upgrade des Windows Server Betriebssystems“
Certificate request fails with error message "Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)".
Assume the following scenario
- A certificate request is sent to a certification authority.
- The certificate request fails with the following error message:
Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Error Parsing Request The request subject name is invalid or too long. 0x80094001 (-2146877439 CERTSRV_E_BAD_REQUESTSUBJECT)““
Token for CDP and AIA configuration of a certification authority
The following is an overview of the tokens for the CDP and AIA configuration of a certification authority.
Continue reading „Token für die CDP- und AIA- Konfiguration einer Zertifizierungsstelle“Overview of audit events generated by the Certification Authority
The following is an overview of the audit events generated by the certification authority in the Windows Event Viewer.
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Continue reading „Übersicht über die von der Zertifizierungsstelle generierten Audit-Ereignisse“Overview of Windows events generated by the certification authority
The following is an overview of the events generated by the certification authority in the Windows Event Viewer.
Continue reading „Übersicht über die von der Zertifizierungsstelle generierten Windows-Ereignisse“How is the serial number of a certificate formed?
The following is an explanation of how the serial numbers of issued certificates are formed and how the behavior of the certification authorities can be customized.
Configuring the certificate authority to a static port (RPC endpoint)
In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 135 | RPC Endpoint Mapper |
| TCP | 49152-65535 | RPC dynamic ports |
This configuration is not feasible in every enterprise environment. Often there are restrictive firewall rules that do not allow the use of dynamic network ports.
In such a case, the certificate authority must be configured to a static port.
Continue reading „Konfigurieren der Zertifizierungsstelle auf einen statischen Port (RPC-Endpunkt)“Querying the configured RPC endpoints of a certification authority
In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).
However, it is also possible to configure the certificate authority to a static port (see article "Configuring the certificate authority to a static port (RPC endpoint)„).
The following describes how to check the current configuration of the certification authority.
Continue reading „Abfrage der konfigurierten RPC-Endpunkte einer Zertifizierungsstelle“Classification of ADCS components in the Administrative Tiering Model
If, in addition to the Active Directory Certificate Services, the administrative tiering model is also implemented for the Active Directory directory service, the question arises as to how the individual PKI components are to be assigned to this model in order to be able to perform targeted security hardening.
Continue reading „Einordnung der ADCS-Komponenten in das administrative Schichtenmodell (Administrative Tiering Model)“Send a manually created certificate request to a certification authority
If a certificate request exists, for example after manual generation, in the form of a text file (usually with the extension .CSR or .REQ), it can be sent to the certification authority using on-board means.
Continue reading „Eine manuell erstellte Zertifikatanforderung an eine Zertifizierungsstelle senden“Performance problems with auditing of "Start and stop Active Directory Certificate Services".
When configuring the auditing settings of a certificate authority, one is inclined to select the "Start and Stop Active Directory Certificate Services" option. However, this option may cause problems in some circumstances.
Continue reading „Performanceprobleme bei Auditierung von „Start and stop Active Directory Certificate Services““More than one common name (CN) in the certificate
Nowadays rather a curiosity than really relevant in practice, but it does happen from time to time that you receive certificate requests that contain more than one common name in the subject. Even though it may seem surprising, this is quite possible and also RFC compliant.
Continue reading „Mehr als ein gemeinsamer Name (Common Name, CN) im Zertifikat“
English 
Deutsch