List of use cases for certificates that require specific Cryptographic Service Providers (CSP) or Key Storage Providers (KSP).

Windows Server 2008, along with NSA Suite B algorithms (also known as Cryptography Next Generation, CNG) with Key Storage Providers, introduced a new, modern interface for generating, storing, and using private keys in the Windows ecosystem.

In most cases, it does not matter which CSP or KSP is used for certificates. However, some applications will not work or will not work correctly if the wrong provider is chosen.

Below is a list of use cases I know of for certificates that only work with a specific Cryptographic Service Provider (CSP) or Key Storage Provider (KSP).

Continue reading „Liste der Use Cases für Zertifikate, die bestimmte Cryptographic Service Provider (CSP) oder Key Storage Provider (KSP) benötigen“

SSCEP: Subject of our request does not match that of the returned Certificate!

Assume the following scenario:

sscep: Subject of our request does not match that of the returned Certificate!
Continue reading „SSCEP: Subject of our request does not match that of the returned Certificate!“

Install SSCEP for Linux (Debian Buster) and apply for certificates via the Network Device Enrollment Service (NDES).

If you want to equip a large quantity of systems with certificates, a Manual request and renewal of certificates is not an option. The only viable path is automation.

For systems that are not members of the Active Directory forest, an automatic certificate request via RPC/DCOM not an option.

For certain use cases, the Simple Certificate Enrollment Protocol (SCEP) is an interesting alternative. There are not only clients for Windows for this protocol, but also for Linux with SSCEP. SSCEP is used, among other things, by thin clients with the eLux operating system used.

The following describes how to set up the SSCEP client on a Debian Buster Linux system - either to use it to manage servers or to be able to test the client-side behavior.

Continue reading „SSCEP für Linux (Debian Buster) installieren und Zertifikate über den Registrierungsdienst für Netzwerkgeräte (NDES) beantragen“

Regular password change when configuring the Network Device Enrollment Service (NDES) with a static password.

Suppose you are running a Network Device Enrollment Service (NDES), which relies on is configured to use a static password. In this case, unlike the default configuration, the password for the Requesting certificates via NDES clients never.

However, one may aim for an intermediate way, for example, a daily change of the password. The following describes a way to automate the change of the password.

Continue reading „Regelmäßige Passwortänderung bei Konfiguration des Registrierungsdienstes für Netzwerkgeräte (NDES) mit einem statischen Passwort“

Certificate Enrollment for Windows Systems via the Network Device Enrollment Service (NDES) with Windows PowerShell

If you want to equip Windows systems with certificates that do not have the option of communicating directly with an Active Directory-integrated certification authority, or that are not even in the same Active Directory forest, the only option in most cases is to install certificates manually.

Since Windows 8.1 / Windows Server 2012 R2, however, there is an integrated client for the Simple Certificate Enrollment Protocol (SCEP) on board. On the server side, SCEP is implemented via the Network Device Enrollment Service (NDES) implemented in the Microsoft PKI since Windows Server 2003.

A particularly interesting feature of SCEP is that the protocol allows a certificate to be renewed by specifying an existing one. So what could be more obvious than to use this interface? What is still missing is a corresponding automation via Windows PowerShell.

Continue reading „Zertifikatbeantragung für Windows-Systeme über den Registrierungsdienst für Netzwerkgeräte (NDES) mit Windows PowerShell“

Network Device Enrollment Service (NDES) Basics

The Simple Certificate Enrollment Protocol (SCEP) was developed by Verisign for Cisco in the early 2000s to provide a simplified method for requesting certificates. Previously, network devices required manually generating a certificate request on each device, submitting it to a certificate authority, and then manually reinstalling the issued certificate on the corresponding device.

Continue reading „Grundlagen Registrierungsdienst für Netzwerkgeräte (Network Device Enrollment Service, NDES)“

Authentication at the Network Device Enrollment Service (NDES) with an existing certificate (renewal mode)

The Network Device Enrollment Service (NDES) has the ability to authenticate with a previously issued certificate in order to reapply for a certificate with the same content. This is very convenient for renewal operations, as it eliminates the need to apply for a one-time password beforehand.

Continue reading „Authentifizierung am Registrierungsdienst für Netzwerkgeräte (NDES) mit einem existierenden Zertifikat (Renewal-Modus)“

Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)"

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server
  • One has the necessary permissions to install the role (local administrator, enterprise administrator)
  • The role configuration fails with the following error message:
Failed to enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)““

Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

Continue reading „Gibt es eine Abhängigkeit des Registrierungsdienstes für Netzwerkgeräte (NDES) mit dem NTAuthCertificates Objekt?“

Details of the event with ID 52 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:52 (0x34)
Event log:Application
Event type:Information
Event text (English):The Network Device Enrollment Service policy module was started successfully.
Event text (German):The Network Device Registration Service policy module has been started successfully.
Continue reading „Details zum Ereignis mit ID 52 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Details of the event with ID 53 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:53 (0x35)
Event log:Application
Event type:Error
Event text (English):The Network Device Enrollment Service policy module could not be started (%1). %2
Event text (German):Failed to start the Network Device Registration Service policy module (%1). %2
Continue reading „Details zum Ereignis mit ID 53 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Details of the event with ID 54 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:54 (0x36)
Event log:Application
Event type:Information
Event text (English):The Network Device Enrollment Service policy module was stopped successfully.
Event text (German):The policy module "Registration service for network devices" has been successfully completed.
Continue reading „Details zum Ereignis mit ID 54 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Details of the event with ID 55 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:55 (0x37)
Event log:Application
Event type:Error
Event text (English):The Network Device Enrollment Service policy module could not be stopped (%1). %2
Event text (German):The policy module "Registration service for network devices" could not be terminated (%1). %2
Continue reading „Details zum Ereignis mit ID 55 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Details of the event with ID 43 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:43 (0x2B)
Event log:Application
Event type:Error
Symbolic Name:EVENT_MSCEP_INVALID_USAGE_FOR_PASSWORD
Event text (English):This password has already been used to request a (%1) certificate. Only one signing certificate and one exchange certificate can be issued per password. Obtain a new password to use with this request, or create a new request with a different key usage and the same password, then try again.
Event text (German):This password has already been used to request a (%1) certificate. Only one signing certificate and one exchange certificate can be issued per password. Set a new password for this request or create a new request with a different key usage and the same password. Then repeat the process.
Continue reading „Details zum Ereignis mit ID 43 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Details of the event with ID 44 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:44 (0x2C)
Event log:Application
Event type:Error
Symbolic Name:EVENT_MSCEP_GETCRL_FAILED
Event text (English):The Network Device Enrollment Service cannot obtain the certificate revocation list (CRL) for key %1 from the certification authority. Verify that the CA service is running, the Network Device Enrollment Service account has Read permission on the CA service, and the CA service has successfully created the latest CRL. Use the Certification Authority management console to verify the permissions on the CA service. Use the command: Certutil -config "%2" -cainfo crl %3 to verify that the CA service has created the latest CRL. The error returned was (%4). %5
Event text (German):The certificate revocation list for the key %1 cannot be retrieved from the certification authority by the registration service for network devices. Ensure that the CA service is running, that the Network Device Enrollment Service account has read permission for the CA service, and that the CA service has successfully created the latest certificate revocation list. Use the Certificate Authority Management Console to check the permissions for the Certificate Authority Service. Use the command "Certutil -config "%2″ -cainfo crl %3" to ensure that the CA service has created the latest certificate revocation list. Error returned: (%4). %5
Continue reading „Details zum Ereignis mit ID 44 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“
en_USEnglish