Tag: certutil

No certificate is requested via autoenrollment if a user is connected via Virtual Private Network (VPN)

Assume the following scenario:

  • A user works remotely via Virtual Private Network (VPN)
  • Actually, a certificate should be requested via autoenrollment, but this is not done
  • A connection test (certutil -ping) to the certification authority throws the following error message:
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE) -- (31ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.
Continue reading „Es wird kein Zertifikat per Autoenrollment beantragt, wenn ein Benutzer per Virtual Private Network (VPN) verbunden ist“

Revocation of an issued certificate fails with error message "The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)".

Assume the following scenario:

  • A certificate is revoked via the command line (certutil -revoke).
  • The operation fails with the following error message:
ICertAdmin::RevokeCertificate: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
Continue reading „Der Widerruf eines ausgestellten Zertifikats schlägt fehl mit Fehlermeldung „The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)““

Microsoft Outlook: Find out recipient certificates for S/MIME encrypted mails

For troubleshooting e-mail messages encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME), the encrypted part of a message can be exported. See article "Microsoft Outlook: Extracting an encrypted S/MIME message from an email„.

To find out with which certificates a message has been encrypted, you can proceed as follows...

Continue reading „Microsoft Outlook: Empfänger-Zertifikate bei S/MIME verschlüsselten Mails herausfinden“

Microsoft Outlook: View which algorithm was used for an S/MIME encrypted or signed email

Below is a description of where it is possible to view which symmetric algorithm was used to encrypt an email received, and which hash algorithm was used for a signed email.

Continue reading „Microsoft Outlook: Einsehen, welcher Algorithmus für eine S/MIME verschlüsselte oder signierte E-Mail verwendet wurde“

Restrict extended key usage (EKU) for imported root certification authority certificates

A useful hardening measure for Certification Authorities is to restrict the Certification Authority certificates so that they are only used for the actually issued extended key usage (Extended Key Usage) becomes familiar.

In the event of a compromise of the certification authority, the damage is then limited to these Extended Key Usages. The smart card logon extended key usage would then only be present in the certification authority certificate of the certification authority that actually issues such certificates.

Continue reading „Die erweiterte Schlüsselverwendung (Extended Key Usage, EKU) für importierte Stammzertifizierungstellen-Zertifikate einschränken“

Windows Defender detects certutil as malware (Win32/Ceprolad.A)

Assume the following scenario:

certutil -ping -kerberos -config "https://{Servername}/ADPolicyProvider_CEP_Kerberos/service.svc/CEP" CEP

The certutil command is incorrectly detected by Windows Defender or Windows Defenter Advanced Threat Protection as Win32/Ceprolad.A.

Continue reading „Windows Defender erkennt certutil als Schadsoftware (Win32/Ceprolad.A)“

Configuration of security event monitoring (auditing settings) for certification authorities

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Continue reading „Konfiguration der Überwachung von Sicherheitsereignissen (Auditierungseinstellungen) für Zertifizierungsstellen“

Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Continue reading „Funktionstest durchführen für eine Zertifizierungsstelle“

Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.

Continue reading „Veröffentlichen einer Zertifikatsperrliste (CRL) auf einem Active Directory Sperrlistenverteilungspunkt (CDP)“

Create and publish a certificate revocation list

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.

Continue reading „Erstellen und Veröffentlichen einer Zertifikatsperrliste“

Revoking an issued certificate

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

Continue reading „Widerrufen eines ausgestellten Zertifikats“

After installing or migrating a certificate authority to a new server, you can no longer publish your own certificate templates

Assume the following scenario:

Continue reading „Nach Installation oder Migration einer Zertifizierungsstelle auf einen neuen Server können keine eigenen Zertifikatvorlagen mehr veröffentlicht werden“

Manually running the autoenrollment process

By default, all domain members automatically replicate the Public Key Services object he Active Directory forest through the autoenrollment process. The triggers for this are:

  • When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
  • By timer every 8 hours.
  • When updating group policies, assuming there has been a change.

If you do not want to wait for the autoenrollment to be triggered automatically, you can start it manually. The different ways to run the autoenrollment process are described below.

Continue reading „Manuelles Ausführen des Autoenrollment Prozesses“

Inspect a certificate request (CSR)

Often, before submitting a certificate request to a certification authority - or before issuing the certificate - you want to verify that it contains the desired values.

The following describes how to achieve this.

Continue reading „Eine Zertifikatanforderung (CSR) inspizieren“

Subsequently change the Subject Distinguished Name (DN) of a certificate request (CSR)

Sometimes it is necessary to change the Subject Distinguished Name (also called Subject, Subject DN, Applicant or Subject) of a certificate request before issuing the certificate.

Under certain circumstances, this is certainly possible, as described below.

Continue reading „Den Subject Distinguished Name (DN) einer Zertifikatanforderung (CSR) nachträglich verändern“
en_USEnglish
de_DEDeutsch en_USEnglish