Subsequent archiving of private keys

For the encryption of e-mail messages, companies usually use the Secure / Multipurpose Internet Message Extensions (S/MIME) standard and provide their users with appropriate certificates for this purpose.

An important aspect here is that the users' private keys should be secured centrally - in contrast to the signature certificates that are otherwise mostly used. Incoming messages are encrypted for a specific private key and can only be decrypted again by the same person. Thus a backup of these keys must absolutely be available - also for the Synchronization to mobile devices this is indispensable. For this purpose, the Microsoft Active Directory Certificate Services offer the function of the Private Key Archival.

But what if private key archiving has not been set up and users have already applied for corresponding certificates?

Continue reading „Nachträgliche Archivierung privater Schlüssel“

Signing certificates bypassing the certification authority - solely using built-in tools

In the article "Signing certificates bypassing the certification authority"I described how an attacker with administrative rights on the certification authority can generate a logon certificate for administrative accounts of the domain by bypassing the certification authority software, i.e. by directly using the private key of the certification authority.

In the previous article I described the PSCertificateEnrollment Powershell Module is used to demonstrate the procedure. Microsoft supplies with certreq and certutil However, perfectly suitable pentesting tools are already included with the operating system ex works.

Continue reading „Signieren von Zertifikaten unter Umgehung der Zertifizierungsstelle – allein mit Bordmitteln“

Character encoding in the Subject Distinguished Name of certificate requests and issued certificates

Usually, the encoding of characters and strings in certificates is not a topic of great interest to the users of a PKI. However, there are cases where the default settings of the certification authority do not provide the desired results.

Continue reading „Zeichenkodierung im Subject Distinguished Name von Zertifikatanforderungen und ausgestellten Zertifikaten“

The partition of the Hardware Security Module (HSM) runs full

Assume the following scenario:

  • A Certification Authority uses a Hardware Security Module (HSM).
  • The partition of the hardware security module fills up with more and more keys over the lifetime of the certificate authority.
  • At SafeNet hardware security modules, this can even cause the partition to fill up. As a result, the events 86 and 88 logged by the Certification Authority.
Continue reading „Die Partition des Hardware Security Moduls (HSM) läuft voll“

Verification of the domain controller certificates throws the error code ERROR_ACCESS_DENIED

Assume the following scenario:

  • With certutil a verification of the domain controller certificates is performed.
  • The operation fails with the following error message:
0: DC01

*** Testing DC[0]: DC01
Enterprise Root store: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
KDC certificates: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

CertUtil: -DCInfo command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
Continue reading „Die Überprüfung der Domänencontroller-Zertifikate wirft den Fehlercode ERROR_ACCESS_DENIED“

What happens if a user has requested multiple certificates?

I recently encountered the phenomenon that due to a faulty request logic, several users had made new certificate requests at regular intervals.

The certificate template was configured to have incoming certificate requests released by a certificate manager, i.e. the certificates were not issued automatically. The certificate requests were to be checked by a separate code and then released.

One would now expect that (since all certificate requests would eventually be approved) users would now find multiple certificates of the same type in their certificate store (and the applications that use it). However, this was not the case.

Continue reading „Was passiert, wenn ein Benutzer mehrere Zertifikate beantragt hat?“

The database schema of the Certification Authority database

Would you like to Queries against the Certification Authority database formulate, you must first know what you want to look for.

There is a possibility to output the database schema of the certification authority database.

Continue reading „Das Datenbankschema der Zertifizierungsstellen-Datenbank“

Reconnecting to the private key fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.
Continue reading „Die Wiederherstellung der Verbindung zum privaten Schlüssel schlägt fehl mit Fehlermeldung „Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Installation of the default certificate templates fails with error message "This security ID may not be assigned as the owner of this object."

Assume the following scenario:

  • For the first time, a certification authority (Enterprise Certification Authority) integrated into Active Directory is to be installed in the network.
  • The rights to install the certificate authority have been delegated to a separate security group or account for security reasons, so no Enterprise Administrator login is required. Put another way: The user used is not a member of the Enterprise Administrators group in the Active Directory forest.
  • Since this is the first certification authority in the network, no Standard certificate templates installed in the Active Directory. When opening the certificate template management console (certtmpl.msc), one is prompted to install it.
  • The installation fails with the following error message:
Windows could not install the new certificate templates. This security ID may not be assigned as the owner of this object.
Continue reading „Die Installation der Standard-Zertifikatvorlagen schlägt fehl mit Fehlermeldung „This security ID may not be assigned as the owner of this object.““

Code signatures of Appx packages via SignTool.exe fail with error code 0x8007000b (ERROR_BAD_FORMAT)

Assume the following scenario:

  • An Appx package is to be signed.
  • For this purpose the SignTool.exe used.
  • The code signing certificate used was recently renewed.
  • The signing process with the new code signing certificate fails with the following error message:
"Error: SignerSign() failed." (-2147024885/0x8007000b) 
Continue reading „Codesignaturen von Appx Paketen per SignTool.exe schlagen fehl mit Fehlercode 0x8007000b (ERROR_BAD_FORMAT)“

Issue certificates with shortened validity period

Sometimes it is necessary to issue certificates with a shorter validity period than configured in the certificate template. Therefore, you may not want to reconfigure the certificate template right away or create another certificate template.

Continue reading „Zertifikate mit verkürzter Gültigkeitsdauer ausstellen“

Root certificates are imported on domain members into the certificate store for intermediate certificate authorities

Some will have noticed that the certificate store for intermediate CAs usually also contains certificates for root CAs.

As a rule, this behavior is not critical. In certain cases however, this can also cause problems with applications.

Continue reading „Stammstellen-Zertifikate werden auf Domänenmitgliedern in den Zertifikatspeicher für Zwischenzertifizierungsstellen importiert“

Restoring certificates from the SMTP Exit Module data

If you restore a certification authority from a backup after a disaster has occurred, you will probably find that certificates were issued in the period between the last backup and the system failure with corresponding data loss.

These certificates are now not stored in the restored certificate authority database, so they cannot be restored if needed.

If you are using the SMTP Exit Module, you can at least determine the serial numbers of the certificates from the sent e-mails and revoke them.

Continue reading „Wiederherstellen von Zertifikaten aus den Daten des SMTP Exit Moduls“

The local certificate store for trusted root certificate authorities is not synchronized from Active Directory

Assume the following scenario:

  • A certification authority hierarchy is established in the network and the root certification authority is mapped in the configuration partition of the Active Directory forest.
  • Domain members are configured to run the autoenrollment process to update trusted root certificate authorities from the Configuration partition.
  • However, this process does not work for some clients. The root CA certificates are not automatically downloaded and entered into the local trust store.
  • As a consequence certificate requests can failbecause, for example, the certification authority hierarchy is not trusted.
Continue reading „Der lokale Zertifikatspeicher für vertrauenswürdige Stammzertifizierungsstellen wird nicht aus dem Active Directory synchronisiert“

Troubleshooting for automatic certificate request (autoenrollment) via RPC/DCOM

Assume the following scenario:

  • A certificate template is configured for automatic certificate request (autoenrollment).
  • The certificate template is published on a certification authority (Enterprise Certification Authority) integrated into Active Directory.
  • However, the users or computers configured for automatic Certificate Enrollment do not apply for certificates as intended.

The following is a troubleshooting guide.

Continue reading „Fehlersuche für die automatische Zertifikatbeantragung (Autoenrollment) via RPC/DCOM“
en_USEnglish