Category: Certification Authority

Establish a mapping from a user certificate to the associated computer

Assume the following scenario:

  • A user's computer is stolen or infected with malware.
  • The integrity of certificates located on the computer can no longer be guaranteed.
  • The certificates of the user(s) that were requested on this computer must be revoked.
  • However, one would like to avoid revoking all certificates of a user.
  • Thus, a connection must be established between the user's certificates and the computer on which they were requested.

If the certificates were issued by Autoenrollment requested, we can take advantage of the fact that a corresponding attribute was part of the original certificate request, and that the certificate request is stored in the certificate authority database along with the certificate.

Continue reading „Eine Zuordnung von einem Benutzerzertifikat zum dazugehörigen Computer herstellen“

Restoring certificates from the SMTP Exit Module data

If you restore a certification authority from a backup after a disaster has occurred, you will probably find that certificates were issued in the period between the last backup and the system failure with corresponding data loss.

These certificates are now not stored in the restored certificate authority database, so they cannot be restored if needed.

If you are using the SMTP Exit Module, you can at least determine the serial numbers of the certificates from the sent e-mails and revoke them.

Continue reading „Wiederherstellen von Zertifikaten aus den Daten des SMTP Exit Moduls“

The Certificate Authority service fails to start and throws the error message "Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL)."

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).““

The "Application Policies" certificate extension

The purposes for which a digital certificate may be used are controlled via the certificate extensions "Key Usage" and "Extended Key Usage".

In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Continue reading „Die „Application Policies“ Zertifikaterweiterung“

New certificates are regularly requested via Autoenrollment

Assume the following scenario:

  • A certificate template is configured for automatic request and issuance (AutoEnrollment).
  • Users or computers apply for new certificates at regular intervals and long before the defined renewal period.
Continue reading „Es werden regelmäßig neue Zertifikate über Autoenrollment beantragt“

The key algorithm of certificate requests is not checked by the certification authority's policy module

Assume the following scenario:

  • A certificate template is configured to use elliptic curve based keys (e.g. ECDSA_P256).
  • As a result, a minimum key length of 256 bits is configured.
  • Nevertheless, certificate requests that use other ECC curves or RSA-based keys are also signed.
Continue reading „Der Schlüsselalgorithmus von Zertifikatanforderungen wird vom Policy Modul der Zertifizierungsstelle nicht überprüft“

From Zero to Enterprise Administrator through Network Device Enrollment Service (NDES) - and What to Do About It

In the following, I would like to present a highly dangerous PKI configuration, perhaps not necessarily known to the general public, which can probably be encountered quite frequently in this way in corporate networks.

I show how, by exploiting various unfortunate circumstances in the Windows PKI, it is possible to elevate privileges from mere network access to complete Active Directory takeover.

The initial point of attack in this example is the Network Device Enrollment Service (NDES).

Continue reading „Von Null auf Enterprise Administrator durch den Registrierungsdienst für Netzwerkgeräte (NDES) – und was dagegen getan werden kann“

Installation of a certification authority fails with error message "The Certification Authority is already installed."

Assume the following scenario:

  • A certification authority is installed.
  • An error occurred during installation that required a retry.
  • The certification authority role was uninstalled and then the role configuration was tried again.
  • The role configuration fails with the following error message:
The Certification Authority is already installed. If you are trying to reinstall the role service, you must first uninstall it.
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlermeldung „The Certification Authority is already installed.““

Installation or uninstallation of a Windows feature fails with error message "The service is configured to not accept any remote shell requests."

Assume the following scenario:

  • A Windows role concerning Active Directory Certificate Services (Certification Authority, Network Device Enrollment Service (NDES), Certificate Authority Web Enrollment (CAWE), Certificate Enrollment Web Services (CEP, CES), or Online Certificate Service Provider (OCSP)) is to be installed or uninstalled.
  • The installation or uninstallation fails with the following error message:
The status of the role services on the target machine cannot be determined. Please retry. The error is The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.
Continue reading „Die Installation oder Deinstallation eines Windows-Features schlägt fehl mit Fehlermeldung „The service is configured to not accept any remote shell requests.““

Revocation of an issued certificate fails with error message "The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)".

Assume the following scenario:

  • A certificate is revoked via the command line (certutil -revoke).
  • The operation fails with the following error message:
ICertAdmin::RevokeCertificate: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
Continue reading „Der Widerruf eines ausgestellten Zertifikats schlägt fehl mit Fehlermeldung „The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)““

Treatment of expired certificates when issuing certificate revocation lists

By default, the Microsoft Certification Authority removes the serial numbers of expired certificates from the revocation lists it issues.

However, there are some exceptions to this.

Continue reading „Behandlung abgelaufener Zertifikate bei der Ausstellung von Zertifikatsperrlisten“

The certification authority service does not start and throws the error message "The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

  • A certification authority is installed.
  • The installation is successful, but the Certificate Authority service does not start after the installation.
  • When trying to start the Certificate Authority service from the Certificate Authority Management Console, you receive the following error message:
The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
The policy module for a CA is missing or incorrectly registered. To view or change policy module settings, right-click on the CA, click Properties, and then click the Policy Module tab.
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)““

Certificate request fails with error message "The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)".

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)
Denied by Policy Module
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)““

Basics: Configuration file for the certification authority (capolicy.inf)

The capolicy.inf contains basic settings that can or should be specified before installing a certificate authority. In simple terms, it can be said that no certificate authority should be installed without it.

Continue reading „Grundlagen: Konfigurationsdatei für die Zertifizierungsstelle (capolicy.inf)“

Create an exit module for the certification authority in C#

The Microsoft Certification Authority offers the possibility to create your own Policy and exit modules to develop to extend the functionality of the Certification Authority.

Below are the steps necessary to create an exit module in C# using Visual Studio 2019. The exit module will write issued certificates to a configurable directory in the file system.

Continue reading „Ein Exit Modul für die Zertifizierungsstelle in C# erstellen“
en_USEnglish
de_DEDeutsch en_USEnglish