Treatment of expired certificates when issuing certificate revocation lists

By default, the Microsoft Certification Authority removes the serial numbers of expired certificates from the revocation lists it issues.

However, there are some exceptions to this.

Continue reading „Behandlung abgelaufener Zertifikate bei der Ausstellung von Zertifikatsperrlisten“

List of use cases for certificates that require specific Cryptographic Service Providers (CSP) or Key Storage Providers (KSP).

Windows Server 2008, along with NSA Suite B algorithms (also known as Cryptography Next Generation, CNG) with Key Storage Providers, introduced a new, modern interface for generating, storing, and using private keys in the Windows ecosystem.

In most cases, it does not matter which CSP or KSP is used for certificates. However, some applications will not work or will not work correctly if the wrong provider is chosen.

Below is a list of use cases I know of for certificates that only work with a specific Cryptographic Service Provider (CSP) or Key Storage Provider (KSP).

Continue reading „Liste der Use Cases für Zertifikate, die bestimmte Cryptographic Service Provider (CSP) oder Key Storage Provider (KSP) benötigen“

The certification authority service does not start and throws the error message "The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

  • A certification authority is installed.
  • The installation is successful, but the Certificate Authority service does not start after the installation.
  • When trying to start the Certificate Authority service from the Certificate Authority Management Console, you receive the following error message:
The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
The policy module for a CA is missing or incorrectly registered. To view or change policy module settings, right-click on the CA, click Properties, and then click the Policy Module tab.
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)““

Inspect TLS traffic with Wireshark (decrypt HTTPS)

When troubleshooting, it can be very helpful to view encrypted SSL connections in order to inspect the messages within. There is a relatively simple way to do this with Wireshark.

Continue reading „TLS-Datenverkehr mit Wireshark inspizieren (HTTPS entschlüsseln)“

HTTP error code 403 when logging on to Internet Information Services (IIS) using client certificate after renewing web server certificate

Assume the following scenario:

  • A user or application accesses a web page or web application running on an Internet Information Services (IIS) web server.
  • The web server is configured to request a client certificate for the requested resource.
  • Although there is a valid client certificate on the client, the error code 403 Forbidden is returned immediately. The user is not prompted (when calling the page with a browser) to select a certificate.
  • The web server certificate was recently renewed and the IIS SSL binding was configured accordingly via the IIS Manager.
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
Continue reading „HTTP Fehlercode 403 bei Anmeldung mittels Client-Zertifikat an Internet Information Services (IIS) nach Erneuerung des Webserver-Zertifikats“

Certificate request fails with error message "The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)".

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)
Denied by Policy Module
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is missing required signature policy information. 0x80094809 (-2146875383 CERTSRV_E_SIGNATURE_POLICY_REQUIRED)““

Microsoft Outlook: Find out recipient certificates for S/MIME encrypted mails

For troubleshooting e-mail messages encrypted using Secure/Multipurpose Internet Mail Extensions (S/MIME), the encrypted part of a message can be exported. See article "Microsoft Outlook: Extracting an encrypted S/MIME message from an email„.

To find out with which certificates a message has been encrypted, you can proceed as follows...

Continue reading „Microsoft Outlook: Empfänger-Zertifikate bei S/MIME verschlüsselten Mails herausfinden“

Microsoft Outlook: Extracting an encrypted S/MIME message from an email

The encrypted part of an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME) is always contained in a file called "smime.p7m" as an attachment to the mail.

Outlook does not display this attachment, but it can be analyzed using the free Microsoft MFCMAPI extracted from the e-mail.

Continue reading „Microsoft Outlook: Extrahieren einer verschlüsselten S/MIME Nachricht aus einer E-Mail“

Basics: Configuration file for the certification authority (capolicy.inf)

The capolicy.inf contains basic settings that can or should be specified before installing a certificate authority. In simple terms, it can be said that no certificate authority should be installed without it.

Continue reading „Grundlagen: Konfigurationsdatei für die Zertifizierungsstelle (capolicy.inf)“

Certificate request fails with error message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)."

Assume the following scenario:

  • An attempt is made to request a certificate from a certificate authority (Enterprise CA) integrated into Active Directory for a user or computer.
  • The certificate request fails with the following error message:
The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE).
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE).““

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Your digital ID name cannot be found by the underlying security system" appears.

Assume the following scenario:

  • A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The message cannot be opened.
  • When opening the message, the following error message is displayed:
Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your digital ID name cannot be found by the underlying security system.
Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Your digital ID name cannot be found by the underlying security system.““

Microsoft Outlook: Correctly signed e-mails (S/MIME) are displayed as invalid after the signature certificate expires

Assume the following scenario:

  • A user has received an email message in the past.
  • The message was signed with an S/MIME certificate.
  • The sender's signature certificate was issued by a certification authority that has been granted trust status with the recipient.
  • Thus, the signature was recognized as valid at the time the message was received.
  • The user opens the mail again some time later and finds that the signature is classified as invalid.
Continue reading „Microsoft Outlook: Korrekt signierte E-Mails (S/MIME) werden nach Ablauf des Signaturzertifikats als ungültig angezeigt“

Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester."

  • A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The certificate request fails with the following error message:
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.““

Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

  • A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““
en_USEnglish