Category: Certification Authority

A policy module to tame them all: Introducing the TameMyCerts Policy Module for the Microsoft Certification Authority.

As a Certification Authority operator, you are (among other things) responsible for the identification of the enrollees and the confirmation of the requested identities. The fact that this task is carried out conscientiously and without error is the central pillar of the trust placed in the certification body. Well-known companies are already failed in this task, even had to file for insolvency as a result of misrepresentations and / or were taken over by the big players in the market sensitive punished.

In many cases, we as (Microsoft) PKI operators in companies (regardless of the associated quality) are able to delegate our task of uniquely identifying an applicant to the Active Directory. In many cases, however, we unfortunately also have to instruct our certification authority(ies) to simply issue everything that is requested.

Continue reading „Ein Policy Modul, um sie zu bändigen: Vorstellung des TameMyCerts Policy Moduls für Microsoft Active Directory Certificate Services“

The partition of the Hardware Security Module (HSM) runs full

Assume the following scenario:

  • A Certification Authority uses a Hardware Security Module (HSM).
  • The partition of the hardware security module fills up with more and more keys over the lifetime of the certificate authority.
  • At SafeNet hardware security modules, this can even cause the partition to fill up. As a result, the events 86 and 88 logged by the Certification Authority.
Continue reading „Die Partition des Hardware Security Moduls (HSM) läuft voll“

Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754)

With the May 10, 2022 patch, Microsoft is attempting to patch a vulnerability in the Active Directory in which the certificate-based enrollment (commonly known as PKINIT or also Smartcard Logon) to close.

The update changes both the behavior of the Certification Authority as well as the behavior of Active Directory when processing certificate-based logins.

Continue reading „Änderungen an der Zertifikatausstellung und an der zertifikatbasierten Anmeldung am Active Directory mit dem Patch für Windows Server vom 10. Mai 2022 (KB5014754)“

Basics: Name Constraints

Name restrictions are a part of the X.509 standard and in the RFC 5280 described. They are a tool that can be used within the qualified subordination can be used to control the validity range of a certification authority certificate in a fine-grained manner.

Continue reading „Grundlagen: Namenseinschränkungen (Name Constraints)“

It's time: Migrating the PKI components from Windows Server 2012 to a new operating system

At the turn of the year, a note to all operators of a Microsoft Certification Authority and connected services:

The End of product support from Microsoft for Windows Server 2012 and 2012 R2 is slowly approaching, it is the October 10, 2023.

Thus, it is time to prepare for the move to a new operating system.

Continue reading „Es wird Zeit: Migrieren der PKI Komponenten von Windows Server 2012 auf ein neues Betriebssystem“

Basics: Elliptic curves with regard to their use in the public key infrastructure

With Windows Vista and Windows Server 2008, the Cryptography API: Next Generation (CNG) was introduced into the Windows systems.

This term refers to a collection of modern cryptographic functions. Among other things, the CNG enables the use of certificates that use keys based on elliptic curves (also called Elliptic Curve Cryptography, ECC) with the Microsoft Certification Authority and the Windows operating system.

Continue reading „Grundlagen: Elliptische Kurven in Hinsicht auf ihre Verwendung in der Public Key Infrastruktur“

Operating the Certification Authority without exit module

If a certification authority is installed, the "Windows Default" exit module is automatically activated. This enables e-mail messages to be sent when certain events occur at the certification authority. However, most companies do not use this feature at all.

But even if the exit module is not used at all, it causes sessions on the certification authority database (see Event no. 46). On Certification Authorities with high load this can be problematic.

If the functions it offers are not used at all (under Windows Server Core the "Windows Default" exit module basically does not work), it can also be disabled completely.

Continue reading „Betreiben der Zertifizierungsstelle ohne Exit Modul“

The database schema of the Certification Authority database

Would you like to Queries against the Certification Authority database formulate, you must first know what you want to look for.

There is a possibility to output the database schema of the certification authority database.

Continue reading „Das Datenbankschema der Zertifizierungsstellen-Datenbank“

Limits of Microsoft Active Directory Certificate Services

Active Directory Certificate Services have existed (albeit under a different name) in their basic form since Windows NT 4.0. The architecture based on Active Directory used today was introduced with Windows 2000 Server. AD CS are very well integrated into the Windows ecosystem and continue to be very popular in enterprises and government agencies of all sizes worldwide.

People like to point out the many possibilities offered by Active Directory Certificate Services. Rarely, however, is reference made to what can be done with them. not is possible. In the meantime, the product has also reached its limits in many places.

What these are will be explained in more detail below in order to better decide whether the AD CS can be the right solution for planned projects.

Continue reading „Grenzen der Microsoft Active Directory Certificate Services“

When restoring a certification authority, the certification authority certificate is not selectable during role installation

Assume the following scenario:

Continue reading „Bei der Wiederherstellung einer Zertifizierungsstelle ist das Zertifizierungsstellen-Zertifikat bei der Rollen-Installation nicht auswählbar“

Installation of a certificate authority certificate fails with error message "Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)".

Assume the following scenario:

  • A new certification authority is installed.
  • After configuring the certification authority role and issuing the certification authority certificate, it should now be installed on the certification authority.
  • A hardware security module (HSM) is used to protect the private key of the certification authority certificate.
  • The installation of the certificate authority certificate fails with the following error message:
An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
The new certificate public key does not match the current outstanding request.
The wrong request may have been used to generate the new certificate: Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)
Continue reading „Die Installation eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)““

Reconnecting to the private key fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.
Continue reading „Die Wiederherstellung der Verbindung zum privaten Schlüssel schlägt fehl mit Fehlermeldung „Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Installation of the default certificate templates fails with error message "This security ID may not be assigned as the owner of this object."

Assume the following scenario:

  • For the first time, a certification authority (Enterprise Certification Authority) integrated into Active Directory is to be installed in the network.
  • The rights to install the certificate authority have been delegated to a separate security group or account for security reasons, so no Enterprise Administrator login is required. Put another way: The user used is not a member of the Enterprise Administrators group in the Active Directory forest.
  • Since this is the first certification authority in the network, no Standard certificate templates installed in the Active Directory. When opening the certificate template management console (certtmpl.msc), one is prompted to install it.
  • The installation fails with the following error message:
Windows could not install the new certificate templates. This security ID may not be assigned as the owner of this object.
Continue reading „Die Installation der Standard-Zertifikatvorlagen schlägt fehl mit Fehlermeldung „This security ID may not be assigned as the owner of this object.““

Issue certificates with shortened validity period

Sometimes it is necessary to issue certificates with a shorter validity period than configured in the certificate template. Therefore, you may not want to reconfigure the certificate template right away or create another certificate template.

Continue reading „Zertifikate mit verkürzter Gültigkeitsdauer ausstellen“

Root certificates are imported on domain members into the certificate store for intermediate certificate authorities

Some will have noticed that the certificate store for intermediate CAs usually also contains certificates for root CAs.

As a rule, this behavior is not critical. In certain cases however, this can also cause problems with applications.

Continue reading „Stammstellen-Zertifikate werden auf Domänenmitgliedern in den Zertifikatspeicher für Zwischenzertifizierungsstellen importiert“
en_USEnglish
de_DEDeutsch en_USEnglish