What does the “This certificate has an invalid digital signature.” message actually mean?

I recently got a new Asus RT-N66U Dark Knight. One of my main reasons for selecting this router was its ability to run the DD-WRT custom firmware. DD-WRT offers a host of cool features, among these is the ability to do web based administration on the router’s WAN interface. Basically you can fire up your …

Understanding X.509 digital certificate thumbprints

Introduction I got an interesting question about X.509 certificate thumbprints today from a colleague. Specifically, he wanted to know if you could renew a certificate and keep the thumbprint. The answer is no, unfortunately. So I thought I would explain why you can’t. Certificate storage The X.509 standard was first issued in 1988 and is …

Decoding some certificate enrollment client events

The Events Windows clients can request certificates on their own (autoenrollment) or with the help of a user. When enrolling for a certificate you may find this pair of events in your Application log: Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Event ID: 64 Level: Information User: S-1-5-18 User Name: NT AUTHORITYSYSTEM Computer: <servername> Description: Certificate enrollment for Local system …

“A certificate cloud not be found that can be used with this Extensible Authentication Protocol” error in IAS

After issuing a new certificate for a Windows Server 2003 running IAS this error presented itself in the IAS console when trying to configure EAP with the new certificate: “A certificate could not be found that can be used with this Extensibel Authentication Protocol.” This was accompanied by these two events in the System Log: …

What are the security benefits of running a service as the Local System Account as opposed to a user account?

With the release of Windows 2000 products from Microsoft, most prominently Exchange 2000, started running their services under the Local System1 account instead of using a dedicated Active Directory User account, or what is commonly known as a service account2. The reason for this was security. As time passed more and more products adapted this …