Manually requesting a Remote Desktop (RDP) certificate

There are cases in which you cannot or do not want to obtain Remote Desktop certificates from a certificate authority in your own Active Directory forest, for example, if the system in question is not a domain member.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Remotedesktop (RDP) Zertifikats“

Creation of a manual certificate request fails with error message "Expected INF file section name 0xe0000000".

Assume the following scenario:

  • An information file for a manual certificate request is created.
  • Creating the certificate request using the file fails with the following error message:
Expected INF file section name 0xe0000000 (INF: -536870912)
Continue reading „Die Erstellung einer manuellen Zertifikatanforderung schlägt fehl mit Fehlermeldung „Expected INF file section name 0xe0000000““

Send a manually created certificate request to a certification authority

If a certificate request exists, for example after manual generation, in the form of a text file (usually with the extension .CSR or .REQ), it can be sent to the certification authority using on-board means.

Continue reading „Eine manuell erstellte Zertifikatanforderung an eine Zertifizierungsstelle senden“

Certificate Enrollment Web Service (CES) request fails with error code "WS_E_ENDPOINT_FAULT_RECEIVED".

Assume the following scenario:

  • A Certificate Enrollment Web Service (CES) is implemented in the network.
  • A certificate request is sent to the CES.
  • The certificate request fails with the following error message:
A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Beantragung eines Zertifikats über den Certificate Enrollment Web Service (CES) schlägt fehl mit dem Fehlercode „WS_E_ENDPOINT_FAULT_RECEIVED““

Chrome and Safari limit SSL certificates to one year validity

Apple recently announced that the Safari browser will only accept certificates with a validity of 398 days in the future, provided they were issued from September 1, 2020.

Mozilla and Google want to implement comparable behavior in their browsers. So the question is whether this change will have an impact on internal certificate authorities - i.e. whether in future internal SSL certificates will also have to follow these rules, as is the case, for example, with the enforcement of the RFC 2818 by Google was the case.

Continue reading „Chrome und Safari limitieren SSL Zertifikate auf ein Jahr Gültigkeit“

Literature and other resources about public key infrastructures and Active Directory Certificate Services

The following is an overview of literature available on the market on the subject of public key infrastructures and Active Directory Certificate Services, as well as online resources from Microsoft and other PKI specialists.

Continue reading „Literatur und weitere Ressourcen über Public Key Infrastrukturen und Active Directory Certificate Services“

Performance problems with auditing of "Start and stop Active Directory Certificate Services".

When configuring the auditing settings of a certificate authority, one is inclined to select the "Start and Stop Active Directory Certificate Services" option. However, this option may cause problems in some circumstances.

Continue reading „Performanceprobleme bei Auditierung von „Start and stop Active Directory Certificate Services““

More than one common name (CN) in the certificate

Nowadays rather a curiosity than really relevant in practice, but it does happen from time to time that you receive certificate requests that contain more than one common name in the subject. Even though it may seem surprising, this is quite possible and also RFC compliant.

Continue reading „Mehr als ein gemeinsamer Name (Common Name, CN) im Zertifikat“

The SMTP Exit module does not work on Windows Server Core

Assume the following scenario:

  • A certificate authority is installed on Windows Server Core.
  • The SMTP file supplied with the certification authority is used. Exit module configured.
  • However, the Certification Authority does not send e-mails.
  • In the event log, the Event no. 46 logged with the following error message:
The "Windows default" Exit Module "Initialize" method returned an error. Class not registered The returned status code is 0x80040154 (-2147221164). The Certification Authority was unable to initialize email messaging objects.
Continue reading „Das SMTP Exit Modul funktioniert nicht auf Windows Server Core“

Allow requesting a specific signature key on a certification authority

The Microsoft Certification Authority always signs certificates using the key associated with the most recent Certification Authority Certificate. The signing certificate for an OCSP response should be in accordance with RFC 6960 but signed by the same key as the certificate to be verified:

The CA SHOULD use the same issuing key to issue a delegation certificate as that used to sign the certificate being checked for revocation.

https://tools.ietf.org/html/rfc6960#section-4.2.2.2

However, if the certification authority certificate is renewed and a new key pair is used in the process, it is necessary for the online responder to continue to maintain valid signature certificates for the certificates issued with the previous certification authority certificate, since these are ultimately still valid and must be checked for revocation.

Continue reading „Die Beantragung eines bestimmten Signaturschlüssels auf einer Zertifizierungsstelle erlauben“

Certificate request fails with error message "The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

  • A certificate request is sent to a certification authority.
  • The certificate request fails with the following error message:
Error Parsing Request The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)““

Certificate request fails with error message "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • A user sends a certificate request to a certificate authority.
  • The certificate request fails with the following error message:
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Denied by Policy Module.
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““

Windows Server Migration Matrix for the Certification Authority

At the latest when the End of product support by the manufacturer (Microsoft) approaches, the question arises as to how and to which operating system a certification authority should be migrated.

Continue reading „Windows Server Migrations-Matrix für die Zertifizierungsstelle“

Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server

Often a certification authority lives significantly longer than the server on which it was installed. Reasons for migrating the certification authority to a new server, i.e. while retaining the data, can be:

  • Defect or end of life of the server hardware
  • End of life of the server operating system
  • Change of the server name

The procedure for migration is described in detail below.

Continue reading „Migration einer Active Directory integrierten Zertifizierungsstelle (Enterprise Certification Authority) auf einen anderen Server“
en_USEnglish
de_DEDeutsch en_USEnglish