Category: Certification Authority

The SMTP Exit module does not work on Windows Server Core

Assume the following scenario:

  • A certificate authority is installed on Windows Server Core.
  • The SMTP file supplied with the certification authority is used. Exit module configured.
  • However, the Certification Authority does not send e-mails.
  • In the event log, the Event no. 46 logged with the following error message:
The "Windows default" Exit Module "Initialize" method returned an error. Class not registered The returned status code is 0x80040154 (-2147221164). The Certification Authority was unable to initialize email messaging objects.
Continue reading „Das SMTP Exit Modul funktioniert nicht auf Windows Server Core“

Allow requesting a specific signature key on a certification authority

The Microsoft Certification Authority always signs certificates using the key associated with the most recent Certification Authority Certificate. The signing certificate for an OCSP response should be in accordance with RFC 6960 but signed by the same key as the certificate to be verified:

The CA SHOULD use the same issuing key to issue a delegation certificate as that used to sign the certificate being checked for revocation.

https://tools.ietf.org/html/rfc6960#section-4.2.2.2

However, if the certification authority certificate is renewed and a new key pair is used in the process, it is necessary for the online responder to continue to maintain valid signature certificates for the certificates issued with the previous certification authority certificate, since these are ultimately still valid and must be checked for revocation.

Continue reading „Die Beantragung eines bestimmten Signaturschlüssels auf einer Zertifizierungsstelle erlauben“

Certificate request fails with error message "The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

  • A certificate request is sent to a certification authority.
  • The certificate request fails with the following error message:
Error Parsing Request The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)““

Certificate request fails with error message "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Denied by Policy Module.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““

Windows Server Migration Matrix for the Certification Authority

At the latest when the End of product support by the manufacturer (Microsoft) approaches, the question arises as to how and to which operating system a certification authority should be migrated.

Continue reading „Windows Server Migrations-Matrix für die Zertifizierungsstelle“

Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server

Often a certification authority lives significantly longer than the server on which it was installed. Reasons for migrating the certification authority to a new server, i.e. while retaining the data, can be:

  • Defect or end of life of the server hardware
  • End of life of the server operating system
  • Change of the server name

The procedure for migration is described in detail below.

Continue reading „Migration einer Active Directory integrierten Zertifizierungsstelle (Enterprise Certification Authority) auf einen anderen Server“

End of product support by the manufacturer (Microsoft)

Each Windows Server operating system has a defined end date after which there is no longer any product support from the manufacturer. Certification authorities are also bound to this date, and should therefore be migrated before this date expires.

Continue reading „Ende der Produkt-Unterstützung durch den Hersteller (Microsoft)“

The certification authority service does not start and throws the error message "Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)““

Configuration of security event monitoring (auditing settings) for certification authorities

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Konfiguration der Überwachung von Sicherheitsereignissen (Auditierungseinstellungen) für Zertifizierungsstellen“

Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Continue reading „Funktionstest durchführen für eine Zertifizierungsstelle“

Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.

Continue reading „Veröffentlichen einer Zertifikatsperrliste (CRL) auf einem Active Directory Sperrlistenverteilungspunkt (CDP)“

Create and publish a certificate revocation list

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.

Continue reading „Erstellen und Veröffentlichen einer Zertifikatsperrliste“

Revoking an issued certificate

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

Continue reading „Widerrufen eines ausgestellten Zertifikats“

Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".

Assume the following scenario:

  • A Certification Authority certificate is requested from a Certification Authority
  • The certificate request fails with the following error message:
The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)
Denied by Policy Module
Continue reading „Die Beantragung eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „The certification authority’s certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)““

Configure Path Length Constraint for Certificates Issued by a Certification Authority

For stronger control over the certificates that can be issued by a certification authority, a path length constraint can be set up so that certification authorities above a defined hierarchy level are no longer able to issue subordinate certification authority certificates

For an explanation of how the path length constraint works, see the article "Basics: Path Length Constraint"..

Continue reading „Einschränkung der Pfadlänge (Path Length Constraint) für von einer Zertifizierungsstelle ausgestellte Zertifikate konfigurieren“
en_USEnglish
de_DEDeutsch en_USEnglish