Tag: Cache

The local certificate store for trusted root certificate authorities is not synchronized from Active Directory

Assume the following scenario:

  • A certification authority hierarchy is established in the network and the root certification authority is mapped in the configuration partition of the Active Directory forest.
  • Domain members are configured to run the autoenrollment process to update trusted root certificate authorities from the Configuration partition.
  • However, this process does not work for some clients. The root CA certificates are not automatically downloaded and entered into the local trust store.
  • As a consequence certificate requests can failbecause, for example, the certification authority hierarchy is not trusted.
Continue reading „Der lokale Zertifikatspeicher für vertrauenswürdige Stammzertifizierungsstellen wird nicht aus dem Active Directory synchronisiert“

Basics of online responders (Online Certificate Status Protocol, OCSP)

Certificates usually have a "CRL Distribution Points" extension that tells an application where the certificate's associated Certificate Revocation List (CRL) can be found.

This is like a telephone directory: It contains all the serial numbers of certificates that have been recalled by the certification authority (and are still valid). Every application that checks the revocation status must download and evaluate the entire revocation list.

As the size increases, this procedure becomes increasingly inefficient. As a rule of thumb, 100,000 recalled certificates already correspond to approx. 5 MB file size for the revocation list.

The Online Certificate Status Protocol (OCSP) was developed for this purpose (under the leadership of ValiCert): It is similar to a directory assistance service where applications can request the revocation status for individual certificates, thus eliminating the need to download the entire CRL. OCSP is available in the RFC 6960 specified.

Continue reading „Grundlagen Onlineresponder (Online Certificate Status Protocol, OCSP)“

Overview of the setting options for blocking configurations of the online responder (OCSP).

If a blocking configuration is configured for an online responder, there are various setting options that are discussed below.

Continue reading „Übersicht über die Einstellungsmöglichkeiten für Sperrkonfigurationen des Onlineresponders (OCSP)“

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Your digital ID name cannot be found by the underlying security system" appears.

Assume the following scenario:

  • A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The message cannot be opened.
  • When opening the message, the following error message is displayed:
Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your digital ID name cannot be found by the underlying security system.
Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Your digital ID name cannot be found by the underlying security system.““

Configure the "Magic Number" for the online responder

Even if an online responder is present in the network and the certification authorities have entered its address in the Authority Information Access (AIA) extension of the issued certificates, it is not always guaranteed that the online responder is actually used.

One variable here is the "Magic Number", which is present on every Windows operating system. It causes the system to fall back to blacklists (if present) if requests are made too often via OCSP for the same certificate authority.

Continue reading „Die „Magic Number“ für den Onlineresponder konfigurieren“

Details of the event with ID 33 of the source Microsoft-Windows-NetworkDeviceEnrollmentService

Event Source:Microsoft-Windows-NetworkDeviceEnrollmentService
Event ID:33 (0x21)
Event log:Application
Event type:Error
Symbolic Name:EVENT_MSCEP_ADD_ID
Event text (English):The Network Device Enrollment Service failed to cache this certificate ID and transaction ID (%1). %2
Event text (German):The certificate ID and the transaction ID cannot be cached by the registration service for network devices (%1). %2
Continue reading „Details zum Ereignis mit ID 33 der Quelle Microsoft-Windows-NetworkDeviceEnrollmentService“

Basics: Checking the revocation status of certificates

If a valid, unexpired certificate is to be withdrawn from circulation, it must be revoked. For this purpose, the certification authorities maintain corresponding revocation lists in which the digital fingerprints of the revoked certificates are listed. They must be queried during the validity check.

Continue reading „Grundlagen: Überprüfung des Sperrstatus von Zertifikaten“

How are the compatibility settings for certificate templates technically mapped?

Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.

In the following, this function is described in more detail, as well as possible effects in practice.

Continue reading „Wie sind die Kompatibilitätseinstellungen für Zertifikatvorlagen technisch abgebildet?“

Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Continue reading „Funktionstest durchführen für eine Zertifizierungsstelle“

View and clear the revocation list address cache (CRL URL Cache).

All applications that use the Microsoft Cryptographic Application Programming Interface Version 2 (Crypto API Version 2, CAPI2) have a mechanism for caching certificate revocation information (Certificate revocation lists and OCSP-answers).

Thus, there is no guarantee that, for example, a newly published blacklist will be used by participants before the previous blacklist, which is still in the cache, has expired.

The following describes how to view and influence the blacklist cache.

Continue reading „Den Adress-Zwischenspeicher für Sperrlisten (CRL URL Cache) einsehen und löschen“

Requesting certificates via Certificate Enrollment Policy Web Service (CEP) fails with error message "The requested certificate template is not supported by this CA."

Assume the following scenario:

  • You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • The operation fails with the following error message:
The requested certificate template is not supported by this CA.
Continue reading „Die Beantragung eines Zertifkats über den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA.““

Use Authentication Mechanism Assurance (AMA) to secure administrative account logins.

Authentication Mechanism Assurance (AMA) is a feature designed to ensure that a user is a member of a security group only if they can be shown to have logged in using a strong authentication method (i.e., a smart card). If the user logs in via username and password instead, he or she will not have access to the requested resources.

Originally intended for access to file servers, however, AMA can also be used (with some restrictions) for administrative logon. Thus, for example, it would be conceivable for a user to be unprivileged when logging in with a username and password, and to have administrative rights when logging in with a certificate.

Continue reading „Verwenden von Authentication Mechanism Assurance (AMA) für die Absicherung der Anmeldung administrativer Konten“

View and clear the certificate enrollment policy cache for the Certificate Enrollment Policy Web Service (CEP).

After a certificate enrollment policy is configured and used by a subscriber, the results are cached locally (Enrollment Policy Cache).

If changes are now made to the infrastructure, for example by publishing or removing a new certificate template on a certification authority accessible via Certificate Enrollment Web Service (CES), these changes are not immediately visible to subscribers due to the cache.

For this reason, it may be helpful to view or clear the cache.

Continue reading „Den Zwischenspeicher für Zertifikatregistrierungsrichtlinien (Enrollment Policy Cache) für den Certificate Enrollment Policy Web Service (CEP) einsehen und löschen“

The Network Device Enrollment Service (NDES) Administration web page (certsrv/mscep_admin) reports "The password cache is full."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the administration web page (certsrv/mscep_admin) the following message appears:
The password cache is full.
Continue reading „Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „The password cache is full.““
en_USEnglish
de_DEDeutsch en_USEnglish