Category: Certification Authority

Create and publish a certificate revocation list

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.

Continue reading „Erstellen und Veröffentlichen einer Zertifikatsperrliste“

Revoking an issued certificate

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

Continue reading „Widerrufen eines ausgestellten Zertifikats“

Certificate authority certificate request fails with error message "The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)".

Assume the following scenario:

  • A Certification Authority certificate is requested from a Certification Authority
  • The certificate request fails with the following error message:
The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)
Denied by Policy Module
Continue reading „Die Beantragung eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „The certification authority’s certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE)““

Configure Path Length Constraint for Certificates Issued by a Certification Authority

For stronger control over the certificates that can be issued by a certification authority, a path length constraint can be set up so that certification authorities above a defined hierarchy level are no longer able to issue subordinate certification authority certificates

For an explanation of how the path length constraint works, see the article "Basics: Path Length Constraint"..

Continue reading „Einschränkung der Pfadlänge (Path Length Constraint) für von einer Zertifizierungsstelle ausgestellte Zertifikate konfigurieren“

If a certification authority certificate has been revoked, a revocation list is no longer issued for the certification authority certificate

Assume the following scenario:

  • A certification authority has multiple certification authority certificates.
  • More than one certificate authority certificate uses the same private key because, for example, the certificate authority certificate was renewed with the same key pair.
  • If one of these certification authority certificates is revoked, the certification authority will also no longer issue revocation lists for the other certification authority certificates that use the same key.
Continue reading „Wenn ein Zertifizierungsstellen-Zertifikat widerrufen wurde, wird keine Sperrliste mehr für das Zertifizierungsstellen-Zertifikat ausgestellt“

Restoring a certification authority from backup

The following describes how to restore a certification authority from backup. In addition to the disaster case, this procedure is also part of the Migration of a certification authority to a new server.

Continue reading „Wiederherstellung einer Zertifizierungsstelle aus der Sicherung (Backup)“

Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Continue reading „Wiederherstellung eines Zertifizierungsstellenzertifikats mit Hardware Security Modul (HSM)“

Restoration of a certification authority certificate with software key

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Continue reading „Wiederherstellung eines Zertifizierungsstellenzertifikats mit Software-Schlüssel“

What impact does the expiration of one of the Certification Authority certificates have on the Certification Authority?

Certification authority certificates have a defined start and end date, so it is inevitable during the lifecycle of a certification authority that certification authority certificates will expire.

The following describes the impact of an expiring Certification Authority certificate on the Certification Authority.

Continue reading „Welchen Einfluss hat der Ablauf eines der Zertifizierungsstellen-Zertifikate auf die Zertifizierungsstelle?“

Certificate request fails with error message "0x800b0101 (-2146762495 CERT_E_EXPIRED)".

Assume the following scenario:

  • A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority)
  • The certificate request fails with the following error message.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „0x800b0101 (-2146762495 CERT_E_EXPIRED)““

The Certificate Authority service does not start and throws the error message "The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)."

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The data is invalid. 0xd (WIN32: 13 ERROR_INVALID_DATA)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA).““

Removing old certification authority certificates from the configuration of a certification authority

During the lifetime of a certification authority, certification authority certificates are renewed according to the planning for their life cycle. A new key pair can optionally be used here. The previous certification authority certificates expire or are revoked.

Expired certificate authority certificates can become a problem under certain circumstances if, for example, the associated private keys are stored on old hardware security modules (HSM) and these can only be migrated to new hardware with great difficulty.

In such a case, it may be useful to remove old certification authority certificates from the certification authority configuration.

Continue reading „Entfernen alter Zertifizierungsstellen-Zertifikate aus der Konfiguration einer Zertifizierungsstelle“

Create a backup of a certification authority

Professional operation of a Certification Authority also includes the regular creation of backups.

The following describes which components need to be backed up and the associated procedure.

Continue reading „Eine Sicherung (Backup) einer Zertifizierungsstelle erstellen“

Create a backup of the private key of a certification authority

To a Securing a Certification Authority also includes the backup of the private key material. The backup of the private key material is deliberately described separately, since this should be done separately and its backups should also be stored separately from those of the certification authority.

Continue reading „Eine Sicherung (Backup) des privaten Schlüssels einer Zertifizierungsstelle erstellen“

Perform emergency signing of certificate revocation lists

The most important component of a PKI in terms of availability is not the certification authority, as is often assumed, but the revocation list distribution points. If a certification authority is unavailable, initially no new certificates can be issued, but the certificates already issued can continue to be used without hindrance as long as their revocation status can be verified. In addition to the pure availability of the revocation list distribution points, the revocation information must of course also be valid in terms of its signature. Revocation lists have a defined expiration date after which they can no longer be used. If a certification authority has now failed, it can also no longer publish new revocation lists. The process of emergency signing of revocation lists is provided for this case.

Continue reading „Durchführen der Notfallsignierung von Zertifikatsperrlisten“
en_USEnglish
de_DEDeutsch en_USEnglish