2014 war ich wieder aktiv in den Microsoft-Security- und -Infrastruktur-Foren. Ich habe diese Diskussionen als meine persönliche Wissensdatenbank genutzt.
(Last changed: April 1, 2015. Added last threads I contributed to in December 2014.)
- [2014-12-23] NDES (SCEP) authentication problems: Turned out as an UAC issue.
- [2014-12-23] Duplicate certificate templates - most likely and AD replication issue.
- [2014-12-02] Error 'No mapping between account names and security ID' when requesting a certificate for IIS. Not reproducible.
- [2014-12-02] Configuration of UNC paths as CRL publication URLs.
- [2014-11-28] When are certificate templates not available on the certsrv website? Permissions, v3 templates, machine templates configured for retrieval of the name from AD.
- [2014-11-26] Maintaining Root Certs on Server Without Internet - like subscribing to a list of required CAs in the MS Root Program (and being informed about their 'revocation'). Not an option, unfortunately.
- [2014-11-22] Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
- [2014-11-22] Importing software key to HSM and re-associating certificate with the new instance of the key. Walking through commands: Backup software key, delete certificate, import certificate again using the -csp option.
- [2014-11-17] Issued certificates not showing in client's browser 'View the status of a pending certificate request'. This list is created from cookies at the client. Requests would not show up if the cookie had expired or the cookie don't work, e.g. because a non-standard directory (other than certsrv) had been used.
- [2014-11-12] How to force clients to trust a Windows Enterprise CA? GP Update, check pkiview.msc, publish the CA certificate to AD if it had not been published.
- [2014-11-11] SSL certificate error: 'mismatched address'. Unresolved - this error could be due to putting the full URL in the common name but this was not the issue here.
- [2014-11-07] Population of the Root CA certificate store with CAs certified in the MS Root Program. Done on demand since Vista; it can happen that not all EKUs are finally checked.
- [2014-11-07] 3 Tier CA Hierachy - Configuring the 2nd Tier. I recommend Microsoft's own PKI showcase and reading Technet forums discussions about policy OID 'inheritance' and avoiding the Invalid Issuance Policies error.
- [2014-11-07] RPC enrollment error after removal of a machine from AD. Perhaps an issue related to a remaining Enrollment Services object?
- [2014-11-07] Blank Friendly Name. Should not be an issue as the Friendly Name is a store property, not an attribute or extension.
- [2014-11-06] Inherited CA with certsrv enrollment issues - create certificate for exchange though. I'd recommend submitting the CSR manually locally at the CA using certreq.
- [2014-11-03] RDP server certificate is re-created automatically after accidental deletion. I did some tests to be sure - a reboot may be required.
- [2014-10-31] certsrv application cannot be accessed on CA machine with unknown history. I recommend using certreq instead for urgent submissions, then fix / rebuild the PKI.
- [2014-10-31] Testing auto-enrollment with very short validity periods. Which is not supported by MS as I learned from this thread. Plus: Adding all usual things to test and troubleshoot. Use case: Smart auto-renewal with valid existing certificate.
- [2014-10-31] NPS 'two-factor' authentication and sending clients to VLANs. The former is not possble, the VLAN issue turned to be due to hex used instead of string in the tag attribute.
- [2014-10-31] What are computer certificates used for? Question related to avoiding administrative efforts in case they are not needed for AD operations / Kerberos authentication.
- [2014-10-28] Revocation error in Outlook - seems to be an issue with the client not being able to access CRLs or CRLs having expired.
- [2014-10-28] Use CRTs not PFX files to populate public stores - in this case Trusted Publishers.
- [2014-10-27] Change of the crypto provider used with the CA's key. This is doable (using certutil -csp [CSP Name] -importpfx keyfile.pfx) - however from the question I cannot say if it is really an issued with the CA's key store or rather with the CSP used to generate a key on behalf of CISCO's ASA.
- [2014-10-24] 802.1x authentication error after CA had been migrated to another machine. Reason was: The new instance of the CA haven't published CRLs to the old locations. Note the pkiview.msc keeps seeing the old locations even though all issued certificates (including CAExchange) already show the new ones.
- [2014-10-22] CA cannot start after 2003 to 2008 upgrade to an issue with incompatible log file format. I guessed wrong - it was not the case-sensitive entry for the hash algorithm in the registry this time.
- [2014-10-22] CA cannot start because of issues with access to the private key (or missing key). There is often no other way than restoring the key from the hopefully existing backup.
- [2014-11-22] An offline CA can still use a network HSM - provided it uses a private network.
- [2014-10-20] How / when to use CEP and CES for supporting users in different ADs, but with an account in a hosted forest. I think this is the perfect scenario CEP/CES had been designed for.
- [2014-10-20] Overcoming certificate validation issues by adding SSL client authentication certificates to the web server's Trusted People store... should not be required. I spotted two issues with CDP / AIA URL: Unsupported file URLs and an uncommon LDAP issue - perhaps to AD MaxPageSize.
- [2014-10-20] Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
- [2014-10-17] E-Mail Encryption certificate not found by Outlook - again due to not yet upated offline address book.
- [2014-10-15] SSL handshake fails if clients proposes RSA, while DH is fine. No solution yet - the CSP does not seem to be the culprit.
- [2014-10-15] pkiview errors as the Root CAs CRL has not been published manually to the web server. A PKI left as a legacy to the next admin.
- [2014-10-15] White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
- [2014-10-09] NPS cannot do 'two-factor-style' check of a computer account logon and a domain user logon belonging to the same 'connection'. You can only OR connect the conditions of requiring memberships in users versus machine groups (otherwise, by trying to AND connect the group every machine and every user would need to be member of both user and machine groups). Thus a client that does not attempt to logon as a machine is only checked for the user's membership in the permitted user group.
- [2014-10-09] How to configure and offline policy CA: Standalone CA, not a domain member, better not use LDAP URLs pointing to a location in AD.
- [2014-10-08] How to migrate the CA's configuration to another machine. Either re-do it (Scripts, certsrv.msc) or export the CertSvc registry key and edit it: Leave only the relevant settings (validity periods, typically).
- [2014-10-07] Certificate templates for machines that do require the subject name to be retrieved from AD (such as Workstation Authentication or Computer) are not shown by the Web Enrollment pages. So the template needs to be copied an configured for the name to be supplied in the request - then an admin can enroll it, and later import the PFX file to the machine's store.
- [2014-10-04] Encrypting shared folder (using EFS). Implications: Users need to have keys stored on the server, only feasible with Roaming Profiles. In this case the workaround was to have all users use the same local user account (the one associated with a scanner) to access files on a workgroup server.
- [2104-10-03] Life-time testing for renewed CA certificates. If you want to issue server certificates with a life time of 4 years your CA's life time could e.g. be 8 years, to be renewed every 4 years, or 6 years, to be renewed every 2 years
- [2014-10-03] Cross-Certification for Non-Windows Clients - discussions of things to consider when trying to cross-certify a new CA (in this case a SHA256 signed Root CA) by an existing CA (SHA1 signed Root). It seems my conclusions from bifurcated certitficate chains can't generalized to all scenarios.
- [2014-10-03] What happens to issued certificates when a CA is renewed? The stay valid unless something wird was done in configuring CDP / AIA.
- [2014-10-01] Can the SHA algorithm to be used to sign a certificate defined in the CSR? No, this has to be configured at the CA.
- [2014-10-01] CA migration from Windows 2003 to 2012 R2. Brief summary, link to migration guide.
- [2014-10-01] Revocation checking and Encrypting File System. A CRL signed by th Root CA in a two-tier PKI hierarchy was expired as the validity period had been equal to the default value of 1 week; so users were not able to add other users' certificate. Remaining puzzle: Why did it work for some months? The Sub CA had been fixed by turning off revocation checking.
- [2014-09-30] CRL validation for CACert certificate fails despite accessible CRL. The CRL is large but I believe the main issue is using an HTTPS URL for one of the CDP. Even if it is redirected to HTTP the certutil client might refuse to follow the recursions which is OK as per RFC 5280.
- [2014-09-28] Fixing issues with validation of RDS certificates, and some general questions about certificate stores (when to use PFX files, where is the private key...). The issues was resolved by using the FQDN specified in the self-signed certificate.
- [2014-09-27] EXE can't be run from remote share using PSEXEC. Try to recommend a registry key I found useful in a related scenario - to no avail.
- [2014-09-26] Processing of policy OIDs in capolicy.inf. It seems in this case the file has not been processed so the OID does not show up in the CA certificate.
- [2014-09-26] Missing certsrv application directory. Idea: Role service not configured yet - but then it turned out this is 2008. The issue is weird but in any case the web application could be hand-crafted by making all the settings manually, including ASP configuraton for parent paths.
- [2014-09-23] NPS network policies: How to combine user and machine groups. They can only be OR combined which means this is not a two-factor-style check.
- [2014-09-22] Disadvantages of LDAP CDP and AIA URLs, and how to populate HTTP URLs via publishing to UNC paths.
- [2014-09-19] Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2
- [2014-09-19] Sanitize AIA URLs from machines' host names - discussion of sample CMD scripts.
- [2014-09-19] How do I setup redundant Radius Servers without the end user having to accept another certificate? Unfortunately wild card certificates will not work.
- [2014-09-18] Can an Enterprise Root CA be converted to an intermediate CA? It cannot but a new intermediate CA can be setup with a new certificate and the same key as the former Root CA. This keeps chains and CRL publication intact.
- [2014-09-18] Configuration of color of names of EFS encrypted files in Windows Explorer - can be configured in the GUI or via GPO.
- [2014-09-17] ADCS Web Page returns "The RPC server is unavailable" - when accessing the certsrv application from the CA machine.
- [2014-09-17] OCSP fails with HTTP error 404 as the application directory has not been created yet. Reason: Revocation configurations had been configured before the role service as such had been configured ('activated').
- [2014-09-14] Usage of different keys and passwords with Bitlocker - passwords, recovery key, key on the TPM chip. Different credentials can be used to encrypt the same key that is used to encrypt the volume finally.
- [2014-09-12] Troubleshooting IIS error 403.13 that is most likely related to an inaccessible OCSP URL.
- [2014-09-12] Options to use certificates to restrict access to IIS websites - requiring certificates versus (different flavors of) certificate mapping.
- [2014-09-10] Adding a custom DN to a certificate, and certificate mapping. The CA is an Entrust CA and the respective enrollment client adds a custom DN that is not equal to the AD DN. Plus: Interesting discussion about mapping of certificates to users when logging on to AD. AFAIK that mapping is always done based on a string, not on a comparison of the binary certificate presented with a certificate file published to AD. But you can map on strings such as SKI or hash value which should provide the same level of security.
- [2014-09-10] The simplest way to create a single SSL certificate - is buying one. But I'd also dare to consider a self-signed SSL certificate here (Internal RADIUS server certificate).
- [2014-09-09] Mail recipient's encryption certificate in AD not found by Outlook. It turned out it was one of the common caching / replication issues: The Offline Addressbook had not yet been downloaded.
- [2014-09-08] Adding a custom OID to a certificate. Not sure what the requirement is exactly as OIDs are used for 'any' PKI-related object. I learned something about the EDITF_ATTRIBUTESUBJECTALTNAME2 flag - it is not required if a SAN is added to a CSR but only if a SAN is added to an existing request (e.g. using the /certsrv app.)
- [2014-09-08] Make a PKI high-available that is currently running on a DC. Migration is an option (but CDPs will get messy); starting all over is preferred.
- [2014-09-08] Does NPS recognize a CN in a certificate in a policy? The idea is to craft a CN from a device's MAC address. I would go for AD shadow accounts for such devices.
- [2014-09-05] Move a CA from a DC to another machine. Mind tweaking the CDP URLs accordingly! If the old HTTP URLs should still work the CA would need to publish to a re-created /CertEnroll directory that is still on the DC. However, certificates issued from the migrated CA should not contain such CDPs.
- [2014-09-02] How to use certificate authentication with CISCO ASA and Microsoft NPS? A question appended to an older thread. CISCO clients can use either machine or user certificates and NPS can authorize clients based on memberships in user or machine groups. Note that this is not really 'two-factor authentication'.
- [2014-08-29] Data Recovery Agents versus Key Recovery Agents. Both can be used with EFS - you either recover the files directly or the users' asymmetric keys.
- [2014-08-27] Backup and recovery and high-availability options - for a CA issuing VPN client certificates. Discussion of the backup and restore process and various related configurations. There is not hot-standby option, but you make DR easier by planning for longer CRL validity periods and overlap - and use CISCO's CRL purging feature in addition.
- [2014-08-26] Kerberos issues prevent using the /certsrv web enrollment application. Another expert found the solution - it was a pesky SPN issue. As a workaorund Kerberos could be disabled by giving NTLM a higher priority.
- [2014-08-24] Issuing certificates for Linux servers from a Windows CA - not an issue, can also be done using an AD-integrated Enterprise CA (which is actually more secure than the standalone CA option).
- [2014-08-24] Troubleshooting WLAN 802.1x EAP issues. Not sure what the issue is as PEAP is used (?) but the client has a certificate - I just suggested creating a test policy target to a specific client and only allow either PEAP-MS-CHAPv2 or EAP-TLS.
- [2014-08-24] Windows CA redundancy - not really possible. Options: Windows clustering (shared database), just make the certificate issuance service high-available with a second CA, proper CRL periods and overlaps, long-lived emergency CRLs.
- [2014-08-24] Error This CSP cannot be opened in silent mode on doing EAP-TLS authentication, addition to an older thread. I am just guessing: An issue with having Strong Key Protection turned on?
- [2014-08-22] Why are Symmetric keys shorter than Asemmetric keys and provide the same level of security? With symmetric keys you basically would have to try any potential key, with asymmetric keys only a subset of keys would work because the requirement of being a product of two primes has to be met.
- [2014-08-20] Use an OCSP responder cross AD forests. I proposed manual enrollment, perhaps with extended validity periods. I was in error about using CEP/CES enrollment as this will not work with the OCSP responder's specific type of auto-enrollment. But I learned that the Windows implementation of OCSP allows for using a signing certificate that is not signed by the respective CA - the simples solution in this case.
- [2014-08-19] Picking key sizes and hash algorithms for a new CA. There are always issues with (a few) older applications but I'd rather use the more secure settings in a green-field project.
- [2014-08-19] NPS authentication and logging on with a local user. It seems the machine is logged on (again) or stays logged on after a failed logon with a local user.
- [2014-08-17] Web enrollment pages do not work. Often this is lack of HTTPS or some browser security issue. In this case an re-installation of the OS resolved it.
- [2014-08-14] Migrating a CA to a machine with a different host name. Discussion of the detailed migration procedures, especially about how to tweak AIA and CDP URLs. I recommend having the new CA publish to the old locations but not adding those to new certificates.
- [2014-08-11] Cleaning up DC certificates, changing 'preferred CA'. There is not really a preferred CA, it depends on the CA templates are published to. DC certificates could be cleaned up by deletion and re-issuance or by using an new template superseding the old ones. I recommend using a template that has the Subject Name populated as third-party apps. might not like the empty Subject Name as configured when Domain Controller Authentication is used. Learned about an unrelated SHA512 bug wuth TLS1.2.
- [2014-08-11] Changing the hash algorithm of a Windows CA from SHA1 to SHA256. It can be done by editing a registry and restarting the CA. Then it will sign anything - including its own renewed CA certificate - using the new algorithm. But since CRLs will also be affected the applications' compatibility has to be checked for - and thus it would be better to follow the best practive of setting up a whole new PKI hierarchy using the new algorithm in parallel.
- [2014-08-09] Decryption error for NPS server. Not resolved - problem an issue with the CSP or lack of access (permissions) to the server's private key.
- [2014-08-09] Authoritative list of public CAs. There is not a single list but different certification programs - added links for MS and Mozilla.
- [2014-08-09] Authenticate external users at NPS server, using username and password. Idea: Create AD shadow accounts for them and provide them with credentials.
- [2014-08-09] How to configure delta CRLs - properties of extensions, publication options (variables, 'checkboxes').
- [2014-08-08] Monitoring expiring certificates - I am aware of two companies who offer Windows PKI add-ons doing that, adding some links.
- [2014-08-07] Certificate cannot be exported. It seems the key is available as a file (PKCS#1) but not in a Windows personal certificate store. So it cannot be exported from there.
- [2014-08-04] Windows CA and AD schema: W2K3 CAs can operate in a 2012 forest.
- [2014-08-04] MMC Enrollment: Missing additional information The MMC asks for (another) certificate because the template had been configured for an authorized signature / an Enrollment Agent.
- [2014-07-31] Powershell shows templates to be added but certtmpl.msc does not. New question in an older thread - weird as any tool has to check AD's configuration container for the list of templates.
- [2014-07-31] Removal of unwanted Root CA certificates - by cleaning up AD stores.
- [2014-07-29] Checking and changing the hash alrgorithm used by a Windows CA as only Windows 2008 clients are able to see templates to be enrolled for while Windows 2003 and XP clients don't.
- [2014-07-29] Intermittent issue with Kerberos authentication used with IPSec resolved by restarting the Windows Firewall (I didn't know this effect.)
- [2014-07-28] 802.1x design for branch offices without local radius servers: Concerns: CRLs not accessible for certificates; computers cannot access the local LAN if the WAN does not work. PEAP instead of EAP-TLS mitigates the first risk, but I would not rely too much on configuration items (session timout etc.) that should allow for keeping a machine connected even if the WAN line breaks.<7li>
- [2014-07-27] How to delete certificates from local machines' stores. The problem had been caused by accidental issuance of machine certificates. Command to delete certificates: certutil -delstore my [OID of the template]
- [2014-07-25] How to delete a bunch of certificates from the Windows CA's database, based on their status (disposition) and start or expiry date.
- [2014-07-25] NPS authentication can fail due a really weird issue: The shared secret need to be all case letters.
- [2014-07-25] NDES (SCEP) cannot distinguish certificate requests based on certificate templates but only based on key usage. I would rather recommend using different 'instances' of the SCEP application.
- [2014-07-24] How to fix issues with revocation lists using LDAP URLs after a DC had been renamed that also hosted the CA service. If the LDAP object has got deleted, but it could be re-created using certutil -dspublish -f [CA].crl
- [2014-07-24] Issues with key size mismatch when using the certsrv web application. Not sure if I understood the issue correctly. One workaround in case the web app. does really not allow for selecting a higher key size is use the Certificates MMC or the IIS Wizard in order to create a CSR and then submit it using the web application. Plus: Some discussion on how the app. is used with Firefox versus IE (FF uses the keygen tag)
- [2014-07-24] Troubleshooting of the Microsoft implementation of SCEP / NDES (Simple Certificate Enrollment Protocol, Network Device Enrollment Service). NDES fails to start with a message that indicates it is not happy with its certificates - an issue with the missing revocation list signed by the Root CA as the service does revocation checking.
- [2014-07-23] How to migrate to a new CA: In this case because the existing CA used DSA instead of RSA.
- [2014-07-23] SSL certificate does not work because of missing private key. CRT files do not contain a private key, and the certificate obtained from the certificate provider needs to be imported at the machine where the request had been generated. Check with certutil -store my if the key is present, if yes repair with certutil -repairstore my "<Serial Number>"
- [2014-07-23] nCipher HSM - issues with migrating the key to a new CA: The new HSM client cannot use the key as the counter had been enabled at the old machine.
- [2014-07-23] MMC Enrollment fails with an error message about a missing trusted CA or missing permissions: Either really due to missing CA or missing permissions, but it can be a timing issue as well.
- [2014-07-23] Certsrv web application not configured for the correct physical directory by default. Seems like a bug to be - the config. did not point to the directory en-US but to a directory one level up instead.
- [2014-07-22] The Windows 7 VPN client is not able to use a particular user certificate for logging on using IKEv2. The error message says the the certificate cannot loaded. The certificate chain looks find. Potential issue maybe: Configuration of the client for smart card instead of certificate.
- [2014-07-21] CA cannot issue certificates as the templates in AD don't have the OID attribute set. The solution was to delete the failed default templates and re-install them with certutil -installdefaulttemplates
- [2014-07-18] WLAN authentication issues after the DC's certificate has been renewed. Potential issues: Switch to a new template without a subject CN, or the new certificate is not yet used in the NPS' config.
- [2014-07-17] Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.
- [2014-07-16] NPS: Issues with using MS-EAP MS-Chapv2 used by a CISCO 2960 supplicant. Interesting result posted by the OP, based on a support case: NPS does not support EAP-MSCHAP with 802.1x (as PEAP should be used), so supposedly deprecated EAP-MD5 had been configured.
- [2014-07-16] Troubleshooting access to CRLs and configuration of the CA using variables. An old thread - I just responded to a comment on allegedly new syntax used for these variables. The syntax has not changed but the GUI just shows variables in a nicer way.
- [2014-07-15] Troubleshooting Kerberos delegation for the web enrollment role service installed on a different machine than the CA. I could not nail down the root cause but I try to give very detailed advice on what to check for: SPNs for NetBIOS and FQDN machine names, check for duplicate SPNs, check for details of the Kerberos errors.
- [2014-07-15] Computer certificates for non-domain machines - an outline of how to create those, including links to more detailed articles. For creation of key and request the Certificates MMC could be used, then the request can be sent to the CA via the certsrv application in the context of a user with enrollment permission on the intended certificate template (e.g. Web Server).
- [2014-07-15] Certificate templates on Windows Server 2012 R2 CAs - a whole lot of new options and combinations. I still recommend using good old "XP / 2003" templates using RSA for maximum compatibility.
- [2014-07-14] Certificates for load-balanced web servers. My suggestion is to use the cluster in the subject CN and the subject alternative and put all other names (node name IP address) into the SAN.
- [2014-07-09] Certificate requirements for CISCO ASA VPN server. Best practices for CRLs (I recommend using longer validity periods but purge the cache in ASA more often) and certificate types used by ASA (VPN versus SSL). Plus general advice on why not to co-locate a CA on a DC.
- [2014-07-09] How to authenticate machines instead of users by NPS - configure a Group Policy for WLAN or wired 802.1x.
- [2014-07-08] EFS certificate creation cannot be triggered by GPO with the error Element not found. With Windows 2008 templates a ECDH algorithm needs to be selected and the hash of the EFS certificate needs to be edited manually in the registry.
- [2014-07-08] ASN encoding issues with request submitted to a Windows CA in certsrv. There can't be done much more than analyzing the request and asking for a new one - which solved the issue.
- [2014-07-07] Kerberos troubleshooting triggered by an issue with enrolling for certificates at a CA migrated to Windows 2012 R2. After checking for common Kerberos issues with Service Principal Names and computer passwords it finally turned out that it was an issue with incompatible encryption algorithms (etype) that can be fixed by un-joining and re-joining machines to the domain.
- [2014-07-07] Inquiry for built-in method to logon via RDP using a certificate but no (expensive) hardware. Unfortunately certificate logon via RDP requires smartcards or a TMP chip.
- [2014-07-07] Autoenrollment troubleshooting. There are many potential root causes, such as GPO or DCOM issues.
- [2014-07-04] Which names used for / with a CA can be changed on renewal. It was not entirely clear to me to which name the question referred to: Subject names cannot be changed on renewal, but FQDNs in AIA or CDP URLs can.
- [2014-07-03] Logon to WLAN via PEAP fails due to issues with the NPS' certificate. Root cause: The CA certificate had been used in the NPS policy and this had most likely a crypto provider not suitable for SSL (SChannel errors.)
- [2014-07-03] Subordinate Certification Authority template not found in certstrv: An old thread re-surrected with a new question - I guess the issue is related to template not having been published or missing permissions.
- [2014-07-03] LDAPs does not work when accessing a DC from a third-party client (WatchGuard). Ideas: Wrong or missing subject name (third party clients often don't like only the SAN being populated though this is in line with standards), and WatchGuard seems to use its own certificate store to which the chain needs to be imported to.
- [2014-07-02] Troubleshooting certificate validation in relation to NPS and PEAP authentication. Standard troubleshooting using certutil -verify -urlfetch cert.cer but also trying to clarify some misunderstanding about which certificates are needed (no client certificates for PEAP (most often = PEAP-MS-CHAP-v2), but only for PEAP-TLS and how network policies are configured.
- [2014-07-02] Office 2007 cannot use SHA256 certificates for macro signing. Fixed in Office 2010, but for 2007 you need to re-configure the CA for SHA1, issue the certificate, and then change the algorithm (registry key) back.
- [2014-07-01] Usability of Windows PEAP client in BYOD scenario - too much to configure on behalf of the user? Philosophical discussion, my take is that PEAP has rather been designed with a domain environment in mind.
- [2014-07-01] Feasibility: NPS offering PEAP-MSCHAPv2 for domain joined and non-domain-joined machines: Yes, possible - in the Network Policy only Domain Users are configured to be entitled for logon. Also on non-domain-joined machines (iPhones etc.) users will be asked to enter their domain credentials.
- [2014-07-01] General question on how to use certificates with Kerberos, and on Directory E-Mail Replication certificates. The latter are only needed for (uncommon) replication over SMTP. As for Kerberos and logon, this is my favorite white paper.
- [2014-07-01] CA migration and required actions for EFS Recovery Agents. User certificates and keys should be exported from profiles at the CA server (they are not tied to this machine anyway), and the Key Recovery Agents' configuration is migrated as part of the CA migration.
- [2014-06-30] Enrol on behalf fails because of two distinct issues: 1) The Application Policy configured in Issuance Requirements of the user's certificate template is set to Smart Card Logon, but not to Certificate Request Agent. 2) A third-party validator (Axway) is used that causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator.
- [2014-06-30] Overview on how to implement smart card authentication: An outline based on the assumption that native Kerberos logon with smart cards should be used.
- [2014-06-28] Best practices for life time nesting of CAs in a hierarchy. Typically, each CA would be renewed after have of the validity of its certificate had been expired and the maximum life time of a CA or end-entity is half the period of its superior. Reason: To allow for adding new CAs or issuing end-entity certificates at any time with the maximum life time.
- [2014-06-28] CA in another AD forest. Not sure if the question was related to enrolling against a CA in another forest (only possible with an additional component in place) of if the CA can be migrated (yes it can but populating old LDAP URLs in the other AD would get messy.
- [2014-06-27] SCEP/NDES: Unexpected passphrase asked for HSM software. Not clear where exactly the popup is encountered. If it is at the NDES machine perhaps the HSM's crypto provider has been used with the RA certificates.
- [2014-06-26] How subject names in machine certificates are built from AD attributes. Special logic applied by the Windows CA policy module: You don't get the NetBIOS name of the FQDN form the dNSHostName attribute. Using the Full DN from the directory did not meet the actual which was to RDP to a server using its NetBIOS name. Manual initial creation of a certificate with the NetBIOS name included in the list of DNS names in the SAN solved the issue Follow-up issue: Autoenrollment triggered within 1 hour renewal time - solution: Trigger AE manually as GPOs would not be updated often enough.
- [2014-06-26] Can NPS do two-factor authentication of 1) machines and 2) users. Unfortunately it cannot. If you entitle user and machine groups it does not watch out for these two pieces being provided by a specific machine. It just says that either machines and/or users are allowed to authenticate. If a user manages to configure his or her private machine for just user authentication entering domain user credentials would be sufficient.
- [2014-06-26] General question on signing and encrypting office documents. Office is generous in accepting different types of user certificates for signing but you can filter by EKU or issuer name.
- [2014-06-24] What is 'verification' of a Root CA certificate? The Root CA certificate is the only certificate in a chain that has to be trusted explicitly (e.g. by comparing hash values) - or you trust the vendor of browsers or operating systems.
- [2014-06-24] Access to remote machine's certificate store via MMC does not work as expected. A key has been created when connected to the other machine but it seems the other machine actually lacks the key. Copying over the key file (as identified via the key container name) results in an Access Denied messages, so most likely the key is encrypted with the wrong machine's DPAPI master key.
- [2014-06-24] References to the CA's machine name in the Enrollment Services Object in AD versus the once used in certdat.inc. It seems a new CA has been installed that has the same subject name as an extinct one but the new instance was not able to get access to the pkiEnrollment object. Suggestion: Since certutil -ping is successful if the actual host name of the new CA is used I would recommend editing the dnsHostName attribute of the enrollment object.
- [2014-06-24] Import of the data of a non-Microsoft CA to a Windows CA. It might be doable but there is no simple wizard: Import CA keys and certificates, import all certificates one by one, re-configure CDP and AIA URLs.
- [2014-06-24] Access another Windows computer in a Workgroup environment: It still works with pass-through authentication - just create a user with same user name and same password on source and target machines.
- [2014-05-23] Intermittent problems with computer re-authentication: Finally resolved by disabling re-authentication. I just added some thought on why re-authentication is used (under the false impression that it would add something like two-factor authentication) so why not disable it!
- [2014-06-23] Import of an existing wild card web server certificate for an Exchange server. The wild card certificate is available on another non-Windows machine but as long as key and certificate could be exported (e.g. using openSSL) as a PKCS#12 / PFX file this should not be an issue.
OCSP Responder issues:
Extensive troubleshooting and walking through the OCSP configuration. One
main issue was a misunderstanding about how to use one Responder for
different CAs, and how an array should work. The same configuration would be
replicated to the other member in the array, and the same two confguration
items (revocation configuration) would then be visible at both Responders.
Additional interesting issue: Adding the Intermediate CA certificate to
Trusted Root store can cause an error 403.16 in IIS and thus break
Update on 2014-08-14 - 'case opened again' as this PKI had to be rebuilt. I tried to explain how to use CAPI2 logging.
- [2014-06-23] OCSP design: Use a dedicated OCSP server? This could make sense from performance perspective. The OCSP machine just needs access to the CDP URLs where the CRLs are published. An intermittent error was resolved by re-issuing the CAExchange certificate (so pkiview.msc might have had outdated information due to the old URLs in the previous CAExchange certificate).
- [2014-06-20] Can a bogus proxy set with proxycfg block users from accessing the internet? So as a proxy set with proxycfg or netsh is just available when access to the internet is made in the context of a machine, not in the context of a user.
- [2014-06-18] Selection of WLAN certificate by a Windows machine when talking to radius servers on different networks? The idea was that the client should be able to use an external via an internal certificate. No solution - I am afraid the clients just picks any or the first one whatever that means. It seems from the test results that the choice of client certificates is not limited by the CAs the NPS server trusts as it would be suggested by the TLS standard.
- [2014-06-17] Web Server template not available for issuing certificates via the MMC (old thread resurrected) Not sure that the issue finally way but most likely a combination of: Template not yet published, no permissions for the machine (as this is MMC enrollment), or delay by AD replication, missing GPO update.
- [2014-06-16] EFS decryption problem: These can also be due to lack of trust in the user's own certificate -the solution was to import the user's certificate to the Trusted People store. EFS checks this store if validation of the certificate chain fails so in addition to this quick fix any issues with the chain should be investigated.
- [2014-06-16] Putting a custom serial number user certificates: Interesting question re to creating certificates compliant with local legislation (Paraguay). Actions needed: 1) Name in the request was too long - set the EnforceX500NameLengths flag to 0, 2) add the DeviceSerialNumber value to the SubjectTemplate registry key 3) but use SERIALNUMBER when referring to the subject name in the INF file used with certreq.
- [2014-06-13] Weird PEAP authentication issue with certificates though no certificates should be required - if I understood the question correctly and assuming that PEAP-MS-CHAP-v2 should be used. No solution - I suggested to check NPS log files.
- [2014-06-13] Certificate Services backup and restore - short overview and backing up the three required components: CA database, CA key and certificate, and the configuration (registry key).
- [2014-06-13] Windows NTLM pass-through authentication: Re-discovered and considered a security issue but this is as it works by design: With a standard local admin password you can access all those machines remotely.
- [2014-06-13] Allegedly corrupt signature: Due to certificate chain built just on name matching as the wrong issuer CA certificate (wrong key but same name) had been imported.
- [2014-06-12] (Info only:) Release of an interesting white paper by Microsoft - quite comprehensive, this should supersede many of the existing resources.
- [2014-06-05] Revoking the old CA certificate immediately after renewal causes an error. Just to be sure certificates can still be validated (as renewal was done with a new key, so there is a chance new certificates might chain to the old CA certificate) several checks have been done. Certificates are fine - actually NPS does not seem to recognoze revoked client certificates. Reason most likely: The server side (web proxy) cache of OCSP - CRLs and OCSP responses can be cached in different places.
- [2014-06-03] Certificate enrollment of certificates configured for private key archival fails specifically for Windows 8.1 clients while Windows 7 is fine. After checking enrollment and the validation of the CAExchange certificate extensively my finaly suggestion (unanswered) was to check if probably the TPM (new feature in 8.1.) is used to store the certificate. The cypto provider will not allow export of the key from the chip for archival purposes.
- [2014-06-03] Creating user certificates for SAP - and where to put in which name? I cross-checked and translated documentation by SAP and it seems they need the UPN in the subject alternative name. Unclear: Do they map based on binary certificate (as the certificate is sort of imported to a table) or does the mapping wizard just read a name string from the certificate and enter that into the actual mapping table.
- [2014-06-12] Limitations of using different strings and AD attributes when building subject names. The Windows CA can either take DN components from a request or the whole DN can be built from the DN of the object in AD. Not possible: Add custom strings in addition to AD attributes or add other AD attributes not in the AD DN, such as O= or OU= unless OU is a container.
- [2014-06-10] Obtaining certificates for RADIUS servers - via cross-forest enrollment actually which requires the deployment of an additional solution - either CEP/CES HTTP-based enrollment services or the older cross-forest solution that is based on syncing PKI objects cross-forest. Both require a two-way forest trust. If a radius proxy would be used in authentication no trust would be required.
- [2014-06-10] What happens when a CA is retired and when certificates finally expire. I recommend creating a long-lived CRL and keep it at the CDP embedded in the end-entities' certificates. When the CA will have been expired all client certificates must have been expired, too, and all objects could be removed.
- [2014-06-10] Which certificate to use for RADIUS (NPS) servers, description of the details of the enrollment process for a web server SSL certificate, e.g. using the Certificates MMC. This thread is related to the other one on cross-forest enrollment of radius certificates, dated also 2014-06-10.
- [2014-06-09] SChannel errors - an old thread. Just added a wild guess that these may be related to using a crypto provider that cannot be used with SSL (so use RSA SChannel... instead).
- [2014-06-06] Issues with 802.1x WLAN user certificate, most likely a SChannel / provider problem as the chosen provider was not SSL-capable: Switching from a Windows 2008 to a Windows 2003 template resolved the issue
- [2014-06-05] How to request a certificate with a custom name for a web server - summary of all options (Certificates MMC, certreq) and link to this article.
- [2014-06-05] Certificates to be used with NDES (SCEP). The templates CEP Encryption and Exchange Enrollment Agent are used by the NDES services itself, the template IPSec(Offline request) or a copy of it is for devices. Clients cannot request certificates from different templates as the request from the device is anonymous from SCEP's perspective. Follow-up question: Version 3 certificate templates are not available in the certsrv tool as this does not support the new algorithms.
- [2014-06-03] When dragging and dropping images into a Word document the original locations show later up in tool tips in a PDF created from that doc. I re-discovered this bug and just added my comment to an old thread. You have to edit the ALT Text attribute of every image.
- [2014-05-31] How to create certificate requests (with various tools) and send them to enterprise or standalone CAs (using various tools). I tried to give a comprehensive summary of all the options, the question was about SAP certificates for Mac clients: Creation by the user versus by an enrollment agent, creating the CSR on a Mac or using a Windows PC as an enrollment station. Names could be added to the request (all tools) or retrieved from AD if a Windows client is used.
- [2014-05-30] Exotic issues with private key or CSP - unfortunately the answer was not clear. I had seen issues with third-party software for hardware dongles posing as a fake CSP but in this case the OP reported back that also a support case with MS did not solve the issue the key / certificate in question could not be repaired.
- [2014-05-30] Troubleshooting DCOM permissions related issues after CA migration. Detailed investigation - mainly cross-checking default DCOM permissions: CertSrv Request object, COM Security, DCOM group policy, Certificate Service DCOM Access group. Finally the issue was related to missing permission on a DCOM-related registry key which had been indicated by the Edit Limits... button in COM Security being greyed out.
- [2014-05-23] Autoenrollment troubleshooting. First there was some confusion about where private key should be generated (Autoenrollment triggers the client to create keys locally), and the issue as such boiled down to a DCOM issue: The Certificate Service DCOM Access group did not contain Authenticated Users.
- [2014-06-02] Why an Issuing CA certificate shows up in the local CA store after installing a new certificate: Checking the Certificate Enrollment Protocol: in the section in the section about the CA's response they refer to RFC 3852 that states the CA's response MAY include the full chain...
- [2014-05-30] Question of mine: How to query large Windows CA databases efficiently: I have been given terrific advice on how to optimize code. Some weeks later I followed up with my test results, based on a CA DB with a million certificates: My main issue was that I sorted that DB by Request ID, under the false assumption that - when applying a filter in addition - results would first be filtered and then sorted.
- [2014-05-28] Behavior of the Windows CA's policy module - no elaborate parsing of Subject Alternative Names for e-mail addresses. If the CA is configured for accepting SANs (Mind the security implications for UPNs!) the policy module just passes on the submitted SAN. If more checks need to be done a custom policy module is needed or parsing capabilities could be added to a web frontend (modified version of certsrv pages).
- [2014-05-28] How to test an ODBC connection. The simplest thing I can think of is creating an ASP pages, creating an ADODB connection and opening it using that ODBC connection string
- [2014-05-27] What happens to Active Directory if you install an Enterprise CA. Several objects are created in configuration container (usually harmless), and default templates would be published unless this is prevented by setting the LoadDefaultTemplates key.
- [2014-05-26] Erratic problems with encrypting e-mail with Outlook. Added my anecdotes to an old thread: I also have seen this and attribute it to the various sources outlook could retrieve the recipient's certificate from - AD LDAP user object, cached offline addressbook, an Outlook contact based on the GAL entry, those older attributes used to hold certificates (userCertificate populated by an enterprise PKI versus userSMIMECertificate populated by users themselves versus the even older userCert).
- [2014-05-23] Exchange server does not use CA-signed certificate for secure SMTP although those should take precedence over self-signed ones. No resolution.
- [2014-05-22] WLAN 802.1x authentication with certificates: Summary of how this is done: NPS as radius server with a SSL certificate to protect the authentication. Clients can authenticate using certificates (EAP-TLS) or user / machine names and passwords (PEAP-MS-CHAPv2). Link to this more detailed article.
- [2014-05-21] Certificate for iPhones and that annoying popup asking for confirmation of the radius server's certificate - even if that one has been issued by a public CA. This is by design and I consider this similar to the requirement valid for Code Signing certificates - they also need to be trusted individually.
- [2014-05-20] Issues with certificate renewal and 802.1x authentication. The first one - RPC server offline - was resolved by having the CA restored and taking it online again. Remaining issue in using the certificates that had to be renewed: NPS throws an error 18 when clients try to authenticate, probably an issue with the message digest. Escalated to CISCO.
- [2014-05-20] How PEAP works and why the Radius server needs a certificate. Brief summary focusing on the fact that the server needs a certificate to protect the authentication channel.
- [2014-05-19] How to switch to SHA256 in a Windows PKI hierarchy. As the hash algorithm is a CA-wide setting I would always recommend setting up a parallel new hierarchy.
- [2014-05-16] Requirements for cross-forest enrollment. Two options: CES/CEP role services of the CA (HTTP enrollment) or the older solution based on Powershell scripts syncing AD objects.
- [2014-05-15] Automated generation of certificates for non-Windows clients, using a Windows client as an 'enrollment station'. Some code snippets for looping through an input file of computer or user names. This input would be used to create an INF file, use certreq to create key and CSR and submit it to the CA, retrieve the certificate, install it, and export key and certificate as a PFX file.
- [2014-05-15] The OID shows up instead of the template's name in the CA's database. That simply could be a timing issue as the mapping is done via objects in AD.
- [2014-05-14] Clean-up after removing CAs - for an extinct CA and another one that has been restored but is not used. I suggest to play it safe and keep CRLs as long as the CAs certificates are valid, and I would not revoke all end-entity certificates as recommend in an MS KB article.
- [2014-05-14] Public CA's certificate for RADIUS server, validation by iPads. 1) Detailed installation instruction of the cert. chain at the radius server 2) Investigating that popup asking for a confirmation of the NPS certificate although it chains to a trusted public CA. The latter is by design as the OP found out.
- [2014-05-14] Migration to a CA with a different host name. I would recommend sanitizing the CDP and AIA URLs (removing references to the host name) as the configuration has to be touched anyway.
- [2014-05-12] Impact of Enterprise CA removal on AD replication. There should be none unless certificate are really used for AD SMTP replication (uncommon). Otherwise I would recommend to setup a replacement PKI.
Insert some years during which I was just busy doing PKI but not contributing to the community. I try to compensate for that now!
- [2009-07-16] What is PKI compatibility? It depends on what is compared: Certificates and their fields, key stores and access methods, request structure, protocols to enroll for certificates,...
- [2009-07-16] Notification e-mails sent by the SMTP Exit module contain variables instead of values. Might be an issue of using the variables in a scripts versus running the commands interactively. In a script the % needs to be masked by another %.
- [2009-07-16] Windows CA and redundancy: Does a second CA help? Templates are redundant in AD anyway. A second CA does not help as it uses a different key and cannot sign CRLs on behalf of a failed first CA automatically. For risk mitigation the CRL validity period should be configured for a few days or whatever is needed to detect and fix an issue in the worst case. Redundancy could be achieved with fail-over clustering.
Planning fail-over clustering for a CA, in particular how to migrate an
existing non-clustered CA into the cluster. Clustering is only supported
with HSMs(*). As for the names it can be done but the legacy of LDAP objects
and HTTP URLs that contain the old machine name makes that rather messy.
Suggestion: Use a new clustered CA setup from scratch with proper names and
create a long-lived CRL for the existing CA before retiring it.
(*) Learned in 2014 that this is not true (anymore?)
- [2008-10-01] How to configure CRL URLs for offline CAs. It seems either a CRL has not been copied to the CRL server denoted in the CDP or the defaults have been used and the URL points to the Root CA itself. Brief outline of process.
- [2008-09-23] Variables in CA configuration (starting with %) do not get replaced by their values. Turned out to be a copy and paste error as the lines have been copied to the command window directly.
- [2008-09-19] Limit PKI usage to one domain - how to set permissions. The CA is a forest resource but permission for domain-specific groups can be set at the CA (Request Certificates right), or permissions on all templates could be limited to groups from this domain
- [2008-09-18] Time zones and clock skew. Date formats in certificates are in Universal Time format including time zone information. There is only a clock skew of 10 minutes applied by default to avoid false not-yet-valid messages.
- [2008-07-28] Checking and changing validity periods of CRLs as the default period of a week is too short for a typical Root CA. Overview on how to set the validity period in Properties of Revoked Certificates and - optionally - overlap by editing the registry.
- [2008-07-28] Requirements for macro signing certificates. I suggest to time-stamp macros as otherwise (even if signed) signature would be considered invalid when the signer's certificate has been expired.
- [2008-07-26] Certificate services simply fails to start after setup. Not clarified but another user indicated that in his certocm.log a permissions error was logged when he saw the same error - using the domain admin resolved it.
- [2008-07-26] Sending certificate requests to an untrusted forest. Ideas: Automate the creation of requests and let a service user account from the CA forest fetch the requests, send them to the CA, and collect the certificates. Alternative: Simply use an AD user of the forest where the CA resides and use the certsrv web application to create keys and requests.
- [2008-07-12] Autoenrollment issues - an XP client does not autoenroll through manual enrollment works and the event log says that Autoenrollment has been completed successfully. Potential root causes: 1) There is already a certificte of that type in the store and the setting Do not re-enroll if a duplicate certificate exists in AD has been set 2) Weird but known issue with credential roaming sometimes falsely archiving certificates.
- [2008-07-01] Wild-card certificates - feasible but not recommended as there is a slight chance clients may not recognized the wild-card character.
Man soll ja in Lösungen denken, nicht in Problemen. Es liegt nur in der Natur der Sache meiner Geschichte als 'Troubleshooter', dass ich zuerst PKI-Probleme sehe und dann Lösungen dazu. Dazu kommt, dass PKI und Zertifikate oft als Security-Allzweckwunderwaffe präsentiert werden - auch wenn es alternative und einfach zu verwaltende Lösungen gäbe.
Ich habe dazu zwei Blog-Postings geschrieben, ursprünglich inspiriert von Peter Gutmann's Buchentwurf Engineering Security:
- What I Never Wanted to Know about Security but Found Extremely Entertaining to Read
- The Strange World of Public Key Infrastructure and Certificates
Nach meiner Erfahrung gehen oft die einfachsten Dinge schief, wie die Planung des Publikation einer Sperrliste, im Gegensatz zu den Risiken die vorher diskutiert wurden: Unsichere Hashalgorithmen, NSA, böse Hacker.
Der / die PKI-Standards lassen Vieles offen (MAY), was dazu führt, dass Applikationen mit Zertifikaten und Sperrlisten machen, was sie wollen. Zertifikate werden fast eher wie irgendeine Datei mit strukturierten Inhalten betrachtet - die dann auch noch zufällig signiert ist. Meine 'Favorites' sind embedded Systeme und 'Boxen' aller Art, die - beispielsweise -
- als SSL-Zertifikat ein Zertifikat nutzen, das auch ein CA-Zertifikat (Certification Authority) ist und außerdem auf allen Geräten der Baureihe das gleiche.
- mit einer CA-Hierarchie nicht umgehen können, was Workaorunds erfordert wie den Hashwert der Root-CA dort einzutragen, wo logischerweise der der Issuing CA zu erwarten wäre oder umgekehrt.
- die ein schwerwiegendes Problem mit 'erneuerten CAs' haben, d.h. mit zwei CA-Zertifikaten mit gleichem Subject Common Name aber unterschiedlichem Schlüssel in einem CA-Store.
Das solle nicht zu negativ werden - in The Strange World of PKI versuche ich auch Ansätze zu beschreiben, die funktionieren. Mir geht es vor allem um so genannte 'Infrastructure PKIs' (OK, eine unglückliche Wortschöpfung) oder Device-PKIs.
Love Padlocks - 'Liebesschlösser' (Wikimedia), ein Trend der sich meme-artig auszubreiten scheint... und eine sehr poetische Metapher für Sicherheitssysteme, aus denen man sich ausgesperrt hat. In dem Fall absichtlich, da ein Paar gemeinsam ein Schloss anbringt und dann den Schlüssel wegwirft - in der Hoffnung auf ewige Liebe.