Uwe Gradenegger - Page 18 - Passionate about PKI

Certificate Enrollment for Windows Systems via the Network Device Enrollment Service (NDES) with Windows PowerShell

If you want to equip Windows systems with certificates that do not have the option of communicating directly with an Active Directory-integrated certification authority, or that are not even in the same Active Directory forest, the only option in most cases is to install certificates manually.

Since Windows 8.1 / Windows Server 2012 R2, however, there is an integrated client for the Simple Certificate Enrollment Protocol (SCEP) on board. On the server side, SCEP is implemented via the Network Device Enrollment Service (NDES) implemented in the Microsoft PKI since Windows Server 2003.

A particularly interesting feature of SCEP is that the protocol allows a certificate to be renewed by specifying an existing one. So what could be more obvious than to use this interface? What is still missing is a corresponding automation via Windows PowerShell.

Network Device Enrollment Service (NDES) Basics

The Simple Certificate Enrollment Protocol (SCEP) was developed by Verisign for Cisco in the early 2000s to provide a simplified method for requesting certificates. Previously, network devices required manually generating a certificate request on each device, submitting it to a certificate authority, and then manually reinstalling the issued certificate on the corresponding device.

Description of the different certificate formats

X.509 certificates are always encoded in the Distinguished Encoding Rules (DER) format. This is a binary, machine-readable format.

DER-encoded certificates can, however, also be converted into a text-based format using the BASE64 process so that they can be transmitted in an e-mail body, for example. BASE64 encloses the DER-encoded format, i.e. the certificate is and remains DER-encoded in any case.

Authentication at the Network Device Enrollment Service (NDES) with an existing certificate (renewal mode)

The Network Device Enrollment Service (NDES) has the ability to authenticate with a previously issued certificate in order to reapply for a certificate with the same content. This is very convenient for renewal operations, as it eliminates the need to apply for a one-time password beforehand.

Configure logging level for the certification authority event log.

Some Windows events generated by the certification authority are only generated from a certain logging level.

The following describes how to determine and change the logging level of a certification authority.

Certificate or revocation list issuance fails with error code CERTSRV_E_NO_DB_SESSIONS

Assume the following scenario:

The Certification Authority cannot issue certificates and/or
The Certification Authority cannot issue revocation lists.
At least one of the following error messages is logged:

Event ID: 53 (Microsoft-Windows-CertificationAuthority)

Active Directory Certificate Services denied request 12345 because An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions. 0x8009400f (-2146877425 CERTSRV_E_NO_DB_SESSIONS). The request was for CN=Rudi Ratlos. Additional information: Denied by Policy Module

Event ID: 130 (Microsoft-Windows-CertificationAuthority)

Active Directory Certificate Services could not create a certificate revocation list. An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions 0x8009400f (-2146877425). This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.

Installation of a certificate authority fails with error code ERROR_INVALID_PARAMETER

Assume the following scenario:

A certification authority is installed
The role configuration fails with the following error message:

CCertSrvSetupProperty: The parameter is incorrect. 0x80070057 (WIN32: ERROR_INVALID_PARAMETER).

Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to Enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)"

Assume the following scenario:

One installs a Network Device Enrollment Service (NDES) server
One has the necessary permissions to install the role (local administrator, enterprise administrator)
The role configuration fails with the following error message:

Failed to enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)

Analyze network problems with Wireshark without installing software on production systems

Often, problems with the public key infrastructure can be found in the underlying network - for example, if a firewall rule is missing from the network.

Thus, it is helpful if one is able to record network traffic in order to analyze it. Excellent tools exist for this purpose, such as Wiresharkbut these require that an installation be made on the system in question, which cannot and should not be done easily on a production system.

Fortunately, the Windows Server operating system has a built-in mechanism to capture network packets. However, the resulting files are not compatible with Wireshark. The Microsoft proprietary tool, Message Analyzer, was discontinued on Nov 25, 2019 and the download links removed.

The following therefore describes how such a recording can be generated and subsequently converted into a Wireshark-compatible format in order to be able to analyze the recording away from the server in question.

The display name of a certificate template is not resolved. Only the object identifier (OID) of the certificate template is displayed.

Assume the following scenario:

For a certificate template, only the object identifier is shown, but not the display name and/or
Queries against the certificate authority database contain only the object identifier for the certificate template ("CertificateTemplate" field), but not the display name.

Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?

The Network Device Registration Service (NDES) has two Registration Authority Certificates. With the enrollment agent certificate, certificate requests are signed and one can use the Configure NDES device template accordingly so that certificates are also only issued if the submitted certificate requests also have a corresponding signature..

Do you plan to use the Certification Authority connected to the NDES remove from the NTAuthCertificates objectThe question may arise as to whether mutual dependencies need to be taken into account here - after all, this requires Enroll on Behalf Of (EOBO) the presence of the certificate authority certificate in NTAuthCertificates.

Installation of a certificate authority fails with error code "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

An attempt is made to install a certificate authority
The role configuration fails with the following error message:

An error occurred when creating the new key container "ADCS Labor Issuing CA 3". Please make sure the CSP is installed correctly or select another CSP.
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).

Lock check via online responder (OCSP) fails with HTTP error code 404 (HTTP_E_STATUS_NOT_FOUND)

Assume the following scenario:

After installing an online responder (OCSP), setting up a revocation configuration and adjusting the certification authority or Configuring a group policy that forces clients to use the online responder, falls at the Function test that this nevertheless does not work.
The OCSP address check reports HTTP status 404 (not found).

Installation of a certificate authority integrated into Active Directory using Windows PowerShell fails with error message "A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)".

Assume the following scenario:

A certification authority (Enterprise CA) integrated into Active Directory is installed using Windows PowerShell (Install-AdcsCertificationAuthority).
The role configuration fails with the following error message:

Install-AdcsCertificationAuthority : Active Directory Certificate Services setup failed with the following error: A value for the attribute was not in the acceptable range of values. 0x80072082 (WIN32: 8322 ERROR_DS_RANGE_CONSTRAINT)

Overview of Active Directory events relevant for PKI

The following is an overview of the events generated on domain controllers in the Windows Event Viewer that are relevant to the public key infrastructure.