Category: Certification Authority

The certification authority service does not start and throws the error message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)"

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)““

Putting an Active Directory integrated certification authority (Enterprise Certification Authority) into maintenance mode

If you want to perform maintenance work such as Migration to another server or perform more extensive configuration changes requiring a functional test on a certification authority, you want to ensure that the certification authority service is running, but at the same time prevent certificates from being automatically requested from and issued by the certification authority during this phase.

Continue reading „Eine Active Directory integrierte Zertifizierungsstelle (Enterprise Certification Authority) in den Wartungsmodus versetzen“

What impact does the revocation of a certification authority certificate have on the certification authority?

The following describes the impact on Certification Authority operations when one of the Certification Authority certificates of a Certification Authority is revoked.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Widerruf eines Zertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

What impact does incorrect revocation information of a certification authority certificate have on the certification authority?

The following describes the effects on certification authority operation if the revocation information for one of the certification authority's certificates cannot be retrieved.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss haben fehlerhafte Sperrinformationen eines Zertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

What impact does the revocation of the trust status of a root certification authority certificate have on the certification authority?

The following describes the impact on certification authority operations if one of the root certification authority certificates from which one of the certification authority certificates is derived has its trust status revoked, or never had it.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

Continue reading „Welchen Einfluss hat der Entzug des Vertrauensstatus eines Stammzertifizierungsstellen-Zertifikats auf die Zertifizierungsstelle?“

The certification authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)““

The certification authority service does not start and throws the error message "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)““

The certification authority service does not start and throws the error message "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)““

Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".

Assume the following scenario:

  • A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority)
  • The certificate request fails with the following error message:
The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““

Cryptography basics

The need for the use for cryptography can be summarized under the notion of ensuring secure communication in the presence of untrusted third parties. The goals of cryptography are:

  1. To prevent data from falling into unauthorized hands (To ensure the confidentiality of data).
  2. Find out if data has been modified during transport (Ensure the integrity of the data).
  3. To clearly identify the source of the data (To ensure the authenticity of the data).
  4. Additionally, users or computers can authenticate themselves using cryptography.
Continue reading „Grundlagen Kryptographie“

Editing the NTAuthCertificates object in Active Directory

In the default configuration, all certification authority certificates of Active Directory integrated certification authorities (Enterprise Certification Authority) are located in an object of type CertificationAuthority named NTAuthCertificates within the Configuration Partition of the Active Directory forest.

Continue reading „Bearbeiten des NTAuthCertificates Objektes im Active Directory“

Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

  • An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
  • The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
  • Publishing the certificate revocation list fails with the following error message: 
Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)
Continue reading „Die Veröffentlichtung einer Zertifikatsperrliste (CRL) schlägt fehl mit der Fehlermeldung „Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)““

Publishing a certificate revocation list (CRL) fails with the error message "Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)".

Assume the following scenario:

  • An attempt is made to publish a new certificate revocation list (CRL) on a certification authority.
  • The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
  • Publishing the certificate revocation list fails with the following error message:
Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)
Continue reading „Die Veröffentlichtung einer Zertifikatsperrliste (CRL) schlägt fehl mit der Fehlermeldung „Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)““

Advanced queries against the certification authority database

The Certification Authority database stores much of the information about a Certification Authority's activities. Among other things, it contains information about:

  • Certificates issued
  • Revoked certificates
  • Published blacklists
  • Pending certificate requirements
  • Rejected certificate requests
  • Failed certificate requests

Viewing the contents of the certification authority database is usually done via the certification authority's management console (certsrv.msc), but the possibilities for evaluation and especially for machine processing are very limited.

Continue reading „Erweiterte Abfragen gegen die Zertifizierungsstellen-Datenbank“

Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Here's the scenario:

  • A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““
en_USEnglish
de_DEDeutsch en_USEnglish