When restoring a certification authority, the certification authority certificate is not selectable during role installation

Assume the following scenario:

Continue reading „Bei der Wiederherstellung einer Zertifizierungsstelle ist das Zertifizierungsstellen-Zertifikat bei der Rollen-Installation nicht auswählbar“

Troubleshooting for automatic certificate request (autoenrollment) via RPC/DCOM

Assume the following scenario:

  • A certificate template is configured for automatic certificate request (autoenrollment).
  • The certificate template is published on a certification authority (Enterprise Certification Authority) integrated into Active Directory.
  • However, the users or computers configured for automatic Certificate Enrollment do not apply for certificates as intended.

The following is a troubleshooting guide.

Continue reading „Fehlersuche für die automatische Zertifikatbeantragung (Autoenrollment) via RPC/DCOM“

Requesting certificates via Enroll on Behalf of (EOBO) is not possible because the certificate template is not displayed. The error message is "The certificate template requires too many RA signatures."

Assume the following scenario:

  • A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The desired certificate template is not displayed.
  • If you check the "Show all templates" checkbox, the following error message will be displayed for the desired certificate template:
The certificate template requires too many RA signatures. Only one RA signature is allowed. Multiple request agent signatures are not permitted on a certificate request.
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „The certificate template requires too many RA signatures.““

Configuring the Trusted Platform Module (TPM) Key Attestation

Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.

However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.

However, the configuration in the certificate template is only a default setting for the client. The certification authority will, when requesting do not explicitly check whether a Trusted Platform Module was really used.

To ensure that the private key of a certificate request has really been protected with a Trusted Platform Module, only the TPM Key Attestation remains.

Continue reading „Konfigurieren der Trusted Platform Module (TPM) Key Attestation“

Manually requesting a web server certificate

There are cases in which you cannot or do not want to obtain web server certificates directly from a certification authority in your own Active Directory forest via the Microsoft Management Console, for example if the system in question is not a domain member.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Webserver-Zertifikats“

Requesting a certificate is not possible because the certificate template is not displayed. The error message is "Can not find a valid CSP in the local machine."

Assume the following scenario:

  • A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
  • Autoenrollment does not request a certificate from the desired certificate template, although it is enabled and the permissions are set accordingly.
  • The desired certificate template is not displayed when applying manually via the Microsoft Management Console (MMC). If the "Show all templates" check box is selected, the following error message is displayed for the desired certificate template:
Cannot find object or property.
Can not find a valid CSP in the local machine.
Continue reading „Die Beantragung eines Zertifikats ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „Can not find a valid CSP in the local machine.““

Change the signing algorithm of a certification authority hierarchy without issuing new certification authority certificates

Sometimes it may be necessary to change the Signature algorithm to subsequently change an already installed certification authority hierarchy.

This is often the case because one has installed them with PKCS#1 version 2.1 and unfortunately finds out afterwards that not all applications are compatible with the resulting certificates, and thus cannot use the hierarchy.

While it is relatively easy to change the signature algorithm for certificates issued by a certification authority, it is more difficult to do so for certification authority certificates.

Continue reading „Den Signaturalgorithmus einer Zertifizierungsstellen-Hierarchie ändern, ohne neue Zertifizierungsstellen-Zertifikate auszustellen“

Checking the connection to the private key of a certificate (e.g. when using a hardware security module)

For a function test or during troubleshooting, it can be useful to check whether the private key of a certificate is usable. If the key is secured with a hardware security module (HSM), for example, there are significantly more dependencies and possibilities for errors than with a software key.

Continue reading „Überprüfen der Verbindung zum privaten Schlüssel eines Zertifikate (z.B. bei Einsatz eines Hardware Security Moduls)“

Restoring a certification authority from backup

The following describes how to restore a certification authority from backup. In addition to the disaster case, this procedure is also part of the Migration of a certification authority to a new server.

Continue reading „Wiederherstellung einer Zertifizierungsstelle aus der Sicherung (Backup)“

Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Continue reading „Wiederherstellung eines Zertifizierungsstellenzertifikats mit Hardware Security Modul (HSM)“

Restoration of a certification authority certificate with software key

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Continue reading „Wiederherstellung eines Zertifizierungsstellenzertifikats mit Software-Schlüssel“

Certificate request fails with error message "0x800b0101 (-2146762495 CERT_E_EXPIRED)".

Assume the following scenario:

  • A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority)
  • The certificate request fails with the following error message.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „0x800b0101 (-2146762495 CERT_E_EXPIRED)““

The certification authority service does not start and throws the error message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)"

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)““

The certification authority service does not start and throws the error message "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)".

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)““

Requesting a certificate fails with the error message "You cannot request a certificate at this time because no certificate types are available."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • The logged-in user also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • You don't get any certificate templates to choose from, even though they are correctly published on the certificate authorities.
  • There is also no "Show hidden templates" option. This usually appears at the bottom left of the dialog.
  • The following error message is displayed:
Certificate types are not available. You cannot request a certificate at this time because no certificate types are available. If you need a certificate, contact your administrator.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „You cannot request a certificate at this time because no certificate types are available.““
en_USEnglish