Electronic data exchange with the German Pension Insurance

Recently, together with the B-I-T GmbH Information and processes from Hanover worked on implementing the electronic data exchange with the statutory health insurance funds and the pension insurance from one application.

Here, a combination of authenticated data transmission of both signed and encrypted messages is used. PKI technologies are used in all these cases.

The message format used is here documented.

Continue reading „Elektronischer Datenaustausch mit der Deutschen Rentenversicherung“

Inspect TLS traffic with Wireshark (decrypt HTTPS)

When troubleshooting, it can be very helpful to view encrypted SSL connections in order to inspect the messages within. There is a relatively simple way to do this with Wireshark.

Continue reading „TLS-Datenverkehr mit Wireshark inspizieren (HTTPS entschlüsseln)“

HTTP error code 403 when logging on to Internet Information Services (IIS) using client certificate after renewing web server certificate

Assume the following scenario:

  • A user or application accesses a web page or web application running on an Internet Information Services (IIS) web server.
  • The web server is configured to request a client certificate for the requested resource.
  • Although there is a valid client certificate on the client, the error code 403 Forbidden is returned immediately. The user is not prompted (when calling the page with a browser) to select a certificate.
  • The web server certificate was recently renewed and the IIS SSL binding was configured accordingly via the IIS Manager.
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „HTTP Fehlercode 403 bei Anmeldung mittels Client-Zertifikat an Internet Information Services (IIS) nach Erneuerung des Webserver-Zertifikats“

Manually requesting a web server certificate

There are cases in which you cannot or do not want to obtain web server certificates directly from a certification authority in your own Active Directory forest via the Microsoft Management Console, for example if the system in question is not a domain member.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Webserver-Zertifikats“

Use HTTP over Transport Layer Security (HTTPS) for the revocation list distribution points (CDP) and the online responder (OCSP).

With regard to the design of the infrastructure for providing revocation information - i.e. the CRL Distribution Points (CSP) as well as the Online Responders (Online Certificate Status Protocol, OCSP) - the question arises whether these should be "secured" via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

Continue reading „Verwenden von HTTP über Transport Layer Security (HTTPS) für die Sperrlistenverteilungspunkte (CDP) und den Onlineresponder (OCSP)“

Should HTTPS be used for the Network Device Enrollment Service (NDES)?

The Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco in the early 2000s. The first implementation was released with Windows Server 2003.

It may come as a surprise that NDES does not use Secure Socket Layer (SSL) for the HTTP connections in the default setting to this day. This fact is explained and evaluated in more detail below.

Continue reading „Sollte HTTPS für den Registrierungsdienst für Netzwerkgeräte (NDES) verwendet werden?“

Configuring the Network Device Enrollment Service (NDES) for use with an alias.

The following describes the steps required to configure the Network Device Enrollment Service (NDES) for use with an alias.

The term alias means that the service is not called with the name of the server on which it is installed, but with a generic name independent of this name. The use of an alias allows the service to be moved to another system at a later time without having to inform all participants of the new address.

Continue reading „Den Network Device Enrollment Service (NDES) für die Verwendung mit einem Alias konfigurieren“

Chrome and Safari limit SSL certificates to one year validity

Apple recently announced that the Safari browser will only accept certificates with a validity of 398 days in the future, provided they were issued from September 1, 2020.

Mozilla and Google want to implement comparable behavior in their browsers. So the question is whether this change will have an impact on internal certificate authorities - i.e. whether in future internal SSL certificates will also have to follow these rules, as is the case, for example, with the enforcement of the RFC 2818 by Google was the case.

Continue reading „Chrome und Safari limitieren SSL Zertifikate auf ein Jahr Gültigkeit“

Requesting certificates via the Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 403 "Forbidden: Access is denied."

Assume the following scenario:

  • A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
  • The role is installed on a separate server, not on the certification authority directly.
  • A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
  • The user's login to CAWE fails with HTTP code 403 "Forbidden: Access is denied.":
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „Die Beantragung eines Zertifikats über die Zertifizierungsstellen-Webregistrierung (CAWE) schlägt fehl mit HTTP Fehlercode 403 „Forbidden: Access is denied.““

Perform functional test for certification authority web registration (CAWE)

After installing and configuring Certificate Authority Web Enrollment (CAWE), it is essential to test the component extensively before releasing it to users. Below are instructions for a detailed functional test.

Continue reading „Funktionstest durchführen für die Zertifizierungsstellen-Webregistrierung (CAWE)“

Enabling Secure Sockets Layer (SSL) for Certificate Authority Web Enrollment (CAWE).

In the default configuration, Certificate Authority Web Enrollment (CAWE) accepts only unencrypted connections via HTTP. It is recommended that the CAWE be configured for HTTP over TLS (HTTPS) to make network traffic interception more difficult. Instructions are provided below.

Continue reading „Secure Sockets Layer (SSL) für die Zertifizierungsstellen-Webregistrierung (CAWE) aktivieren“

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_INVALID_ENDPOINT_URL".

Assume the following scenario:

  • You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • The operation fails with the following error message:
Certificate Request Processor: The endpoint address URL is invalid. 0x803d0020 (-2143485920 WS_E_INVALID_ENDPOINT_URL)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlercode „WS_E_INVALID_ENDPOINT_URL““

Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_WINHTTP_INVALID_CA".

Assume the following scenario:

  • You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • The operation fails with the following error message:
The certificate authority is invalid or corrupt. 0x80072f0d (WinHttp: 12045 ERROR_WINHTTP_SECURE_INVALID_CA)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlercode „ERROR_WINHTTP_INVALID_CA““

Configuring a Secure Socket Layer (SSL) Certificate Template for Web Server

Below is a guide to configuring a web server template with recommended settings.

Continue reading „Konfigurieren einer Secure Socket Layer (SSL) Zertifikatvorlage für Web Server“

Inspect a certificate request (CSR)

Often, before submitting a certificate request to a certification authority - or before issuing the certificate - you want to verify that it contains the desired values.

The following describes how to achieve this.

Continue reading „Eine Zertifikatanforderung (CSR) inspizieren“
en_USEnglish