The local certificate store for trusted root certificate authorities is not synchronized from Active Directory

Assume the following scenario:

  • A certification authority hierarchy is established in the network and the root certification authority is mapped in the configuration partition of the Active Directory forest.
  • Domain members are configured to run the autoenrollment process to update trusted root certificate authorities from the Configuration partition.
  • However, this process does not work for some clients. The root CA certificates are not automatically downloaded and entered into the local trust store.
  • As a consequence certificate requests can failbecause, for example, the certification authority hierarchy is not trusted.
Continue reading „Der lokale Zertifikatspeicher für vertrauenswürdige Stammzertifizierungsstellen wird nicht aus dem Active Directory synchronisiert“

Troubleshooting for automatic certificate request (autoenrollment) via RPC/DCOM (MS-WCCE)

Assume the following scenario:

  • A certificate template is configured for automatic certificate request (autoenrollment).
  • The certificate template is published on a certification authority (Enterprise Certification Authority) integrated into Active Directory.
  • However, the users or computers configured for automatic Certificate Enrollment do not apply for certificates as intended.

The following is a troubleshooting guide.

Continue reading „Fehlersuche für die automatische Zertifikatbeantragung (Autoenrollment) via RPC/DCOM (MS-WCCE)“

No certificate is requested via autoenrollment if a user is connected via Virtual Private Network (VPN)

Assume the following scenario:

  • A user works remotely via Virtual Private Network (VPN)
  • Actually, a certificate should be requested via autoenrollment, but this is not done
  • A connection test (certutil -ping) to the certification authority throws the following error message:
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE) -- (31ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.
Continue reading „Es wird kein Zertifikat per Autoenrollment beantragt, wenn ein Benutzer per Virtual Private Network (VPN) verbunden ist“

Revocation of an issued certificate fails with error message "The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)".

Assume the following scenario:

  • A certificate is revoked via the command line (certutil -revoke).
  • The operation fails with the following error message:
ICertAdmin::RevokeCertificate: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
Continue reading „Der Widerruf eines ausgestellten Zertifikats schlägt fehl mit Fehlermeldung „The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)““

Microsoft Outlook: Find out recipient certificates for S/MIME encrypted mails

For troubleshooting e-mail messages encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME), the encrypted part of a message can be exported. See article "Microsoft Outlook: Extracting an encrypted S/MIME message from an email„.

To find out with which certificates a message has been encrypted, you can proceed as follows...

Continue reading „Microsoft Outlook: Empfänger-Zertifikate bei S/MIME verschlüsselten Mails herausfinden“

Microsoft Outlook: View which algorithm was used for an S/MIME encrypted or signed email

Below is a description of where it is possible to view which symmetric algorithm was used to encrypt an email received, and which hash algorithm was used for a signed email.

Continue reading „Microsoft Outlook: Einsehen, welcher Algorithmus für eine S/MIME verschlüsselte oder signierte E-Mail verwendet wurde“

Configure logging level for the certification authority event log.

Some Windows events generated by the certification authority are only generated from a certain logging level.

The following describes how to determine and change the logging level of a certification authority.

Continue reading „Protokollierungsebene (Log Level) für das Ereignisprotokoll der Zertifizierungsstelle konfigurieren“

Restrict extended key usage (EKU) for imported root certification authority certificates

A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.

In the event of a compromise of the certification authority, the damage is then limited to these Extended Key Usages. The smart card logon extended key usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

Continue reading „Die erweiterte Schlüsselverwendung (Extended Key Usage, EKU) für importierte Stammzertifizierungstellen-Zertifikate einschränken“

Windows Defender detects certutil as malware (Win32/Ceprolad.A)

Assume the following scenario:

certutil -ping -kerberos -config "https://{Servername}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP" CEP 

The certutil command is incorrectly detected by Windows Defender or Windows Defenter Advanced Threat Protection as Win32/Ceprolad.A.

Continue reading „Windows Defender erkennt certutil als Schadsoftware (Win32/Ceprolad.A)“

Configuration of security event monitoring (auditing settings) for certification authorities

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Konfiguration der Überwachung von Sicherheitsereignissen (Auditierungseinstellungen) für Zertifizierungsstellen“

Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Continue reading „Funktionstest durchführen für eine Zertifizierungsstelle“

Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.

Continue reading „Veröffentlichen einer Zertifikatsperrliste (CRL) auf einem Active Directory Sperrlistenverteilungspunkt (CDP)“

Create and publish a certificate revocation list

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.

Continue reading „Erstellen und Veröffentlichen einer Zertifikatsperrliste“

Revoking an issued certificate

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

Continue reading „Widerrufen eines ausgestellten Zertifikats“

After installing or migrating a certificate authority to a new server, you can no longer publish your own certificate templates

Assume the following scenario:

Continue reading „Nach Installation oder Migration einer Zertifizierungsstelle auf einen neuen Server können keine eigenen Zertifikatvorlagen mehr veröffentlicht werden“
en_USEnglish