Configuring a Secure Socket Layer (SSL) Certificate Template for Web Server

Below is a guide to configuring a web server template with recommended settings.

Continue reading „Konfigurieren einer Secure Socket Layer (SSL) Zertifikatvorlage für Web Server“

Configuring a Certificate Template for Authentication Mechanism Assurance (AMA)

Authentication Mechanism Assurance (AMA) provides the ability to tie membership in a security group to enrollment with a smart card certificate containing a specific Object Identifier (OID).

If the user does not log in with the smartcard certificate, but with user name and password, he is also not a member of the security group.

The following describes how to generate a certificate template for use with Authentication Mechanism Assurance.

Continue reading „Konfigurieren einer Zertifikatvorlage für Authentication Mechanism Assurance (AMA)“

Domain Controller Certificate Templates and Smartcard Logon

In order for domain controllers to process smart card logins, they need certificates that provide this function.

Continue reading „Domänencontroller-Zertifikatvorlagen und Smartcard Anmeldung“

(Re-)Installing the Microsoft Standard Certificate Templates

There may be cases where it is necessary to install the standard Microsoft certificate templates before installing the first Active Directory integrated certificate authority (Enterprise Certification Authority), or to reinstall the templates, for example because they have been corrupted or otherwise modified.

Continue reading „(Neu-) Installieren der Microsoft Standard Zertifikatvorlagen“

The Network Device Enrollment Service (NDES) administration web page (certsrv/mscep_admin) reports "You do not have sufficient permission to enroll with SCEP. Please contact your system administrator."

Assume the following scenario:

  • An NDES server is configured on the network.
  • When calling the administration web page (certsrv/mscep_admin) the following message appears:
You do not have sufficient permission to enroll with SCEP. Please contact your system administrator. 
Continue reading „Die Network Device Enrollment Service (NDES) Administrations-Webseite (certsrv/mscep_admin) meldet „You do not have sufficient permission to enroll with SCEP. Please contact your system administrator.““

Configure Device Template for Network Device Enrollment Service (NDES)

By default, the Network Device Enrollment Service (NDES) requests certificates from the "IPsec (Offline Request)" template. This certificate template is from Windows 2000 times and cannot be edited. Therefore, it is recommended to change the default settings and use your own certificate templates that serve your personal requirements.

Continue reading „Gerätevorlage für den Registrierungsdienst für Netzwerkgeräte (NDES) konfigurieren“

Using custom Registration Authority (RA) certificate templates for the Network Device Enrollment Service (NDES).

The Network Device Enrollment Service (NDES) uses two certificate templates for its internal function to make it act as a Registration Authority (RA). These are published during role configuration of the NDES service on the configured certificate authority and certificates are requested:

  • CEP Encryption
  • Exchange Enrollment Agent (Offline Request)

These certificate templates are standard templates from the Windows 2000 world (version 1 templates), i.e. they cannot be edited. In addition, the Exchange Enrollment Agent (Offline Request) template is marked as a user template, i.e. during NDES role configuration the certificate is requested in the context of the installing user and then imported into the machine store. At the latest when the certificates are to be renewed after two years, things get complicated here.

It is therefore a good idea to use your own certificate templates for NDES. These can be adapted in terms of their key length, for example. The use of hardware security modules (HSM) is also possible in this way. Even automatic renewal can be configured.

Continue reading „Eigene Registration Authority (RA) Zertifikatvorlagen für den Registrierungsdienst für Netzwerkgeräte (NDES) verwenden“

What requirements must be met on the infrastructure side for smartcard logins to be possible?

In order for a smart card login to be successful, some requirements must be met in the Active Directory environment:

Continue reading „Welche Voraussetzungen müssen auf Infrastruktur-Seite erfüllt sein, damit Smartcard-Anmeldungen möglich sind?“

Description of the EDITF_ADDOLDKEYUSAGE flag

When installing a subordinate certificate authority, you may encounter the following behavior:

  • One requests a Key Usage extension that is marked as critical, for example, or does not include DigitalSignature.
  • However, the certificate issued by the parent certificate authority includes DigitalSignature, and the Key Usage extension is marked as non-critical.
  • The parent certification authority is a standalone certification authority, i.e. without Active Directory integration.
Continue reading „Beschreibung des Flags EDITF_ADDOLDKEYUSAGE“

How secure is the "Allow private key to be exported" setting in the certificate templates?

PKI administrators often assume that the option in the certificate template to not allow the private key for export is mandatory.

Continue reading „Wie sicher ist die Einstellung „Allow private key to be exported“ in den Zertifikatvorlagen?“

Overview of the different generations of domain controller certificates

Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.

  • Domain controller
  • Domain Controller Authentication
  • Kerberos Authentication

Below is a description of each template and a recommendation for configuring domain controller certificate templates.

Continue reading „Übersicht über die verschiedenen Generationen von Domänencontroller-Zertifikaten“

The online responder (OCSP) requests new signature certificates every four hours

Assume the following scenario:

  • The online responders are configured to request signing certificates using a certificate template from an Active Directory integrated certificate authority.
  • The online responders apply for a new signature certificate at regular intervals (every four hours), even though the existing certificate is still valid for a sufficiently long time.
Continue reading „Der Onlineresponder (OCSP) beantragt alle vier Stunden neue Signaturzertifikate“

Advanced queries against the certification authority database

The Certification Authority database stores much of the information about a Certification Authority's activities. Among other things, it contains information about:

  • Certificates issued
  • Revoked certificates
  • Published blacklists
  • Pending certificate requirements
  • Rejected certificate requests
  • Failed certificate requests

Viewing the contents of the certification authority database is usually done via the certification authority's management console (certsrv.msc), but the possibilities for evaluation and especially for machine processing are very limited.

Continue reading „Erweiterte Abfragen gegen die Zertifizierungsstellen-Datenbank“

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

  • Requesting a certificate for a domain controller fails.
  • On the certification authority, the certificate request is logged in the failed requests. The error message reads:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats für Domänencontroller schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““

Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • However, the desired certificate template is not displayed for selection, even though it has been correctly published on the certification authority.
  • The logged-in user (or computer) also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • In the list of available certificate templates within the MMC, all certificate templates are displayed. At the desired certificate template is written:
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.““
en_USEnglish