Certificate usage - Page 13

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Your digital ID name cannot be found by the underlying security system" appears.

Assume the following scenario:

A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
The message cannot be opened.
When opening the message, the following error message is displayed:

Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your digital ID name cannot be found by the underlying security system.

Microsoft Outlook: Correctly signed e-mails (S/MIME) are displayed as invalid after the signature certificate expires

Assume the following scenario:

A user has received an email message in the past.
The message was signed with an S/MIME certificate.
The sender's signature certificate was issued by a certification authority that has been granted trust status with the recipient.
Thus, the signature was recognized as valid at the time the message was received.
The user opens the mail again some time later and finds that the signature is classified as invalid.

Basics: Enroll on Behalf of (EOBO)

The following is a description of the Enroll on Behalf Of function and how it differs from other methods of applying for certificates.

Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester."

A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
One uses here the Enroll on Behalf of (EOBO) Mechanism.
The certificate request fails with the following error message:

The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.

Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
One uses here the Enroll on Behalf of (EOBO) Mechanism.
The certificate request fails with the following error message:

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

Configuring the Trusted Platform Module (TPM) Key Attestation

Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.

However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.

However, the configuration in the certificate template is only a default setting for the client. The certification authority will, when requesting do not explicitly check whether a Trusted Platform Module was really used.

To ensure that the private key of a certificate request has really been protected with a Trusted Platform Module, only the TPM Key Attestation remains.

Manually requesting a web server certificate

There are cases in which you cannot or do not want to obtain web server certificates directly from a certification authority in your own Active Directory forest via the Microsoft Management Console, for example if the system in question is not a domain member.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Details of the event with ID 4 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	4 (0x425A0004)
Event log:	Application
Event type:	Information
Event text (English):	Certificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed.
Event text (German):	Certificate enrollment for %1 could not access local resources or retrieve certificate template information for %2 (%3). No registration is performed.

Details of the event with ID 13 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	13 (0xC25A000D)
Event log:	Application
Event type:	Error
Event text (English):	Certificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5).
Event text (German):	The certificate enrollment for %1 failed to enroll for a certificate %2 with request ID %4 of %3 (%5).

Details of the event with ID 57 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	57 (0x825A0039)
Event log:	Application
Event type:	Information, Warning and Error
Event text (English):	The "%2" provider was not loaded because initialization failed.
Event text (German):	The "%2" provider was not loaded due to an initialization error.

Details of the event with ID 82 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	82 (0x825A0052)
Event log:	Application
Event type:	Warning
Event text (English):	Certificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3
Event text (German):	Certificate registration error for %1 when authenticating for all URLs for the registration server associated with the following policy ID: %2 (%4). Error registering for template: %3

Certificate request fails with error message "A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

A certificate is requested from a certification authority.
The certificate is successfully issued by the Certification Authority.
However, when installing the certificate on the target system, the following error message occurs:

A certificate issued by the certification authority cannot be installed. Contact your administrator.
Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)

Requesting a certificate protected by a Trusted Platform Module (TPM) - without owning a TPM

However, the configuration in the certificate template is merely a default setting for the client. The certification authority will not explicitly check whether a trusted platform module has actually been used when a request is made.

Thus - if the certificate request is done away from the MMC - arbitrary parameters can be used for the private key.

Requesting a certificate is not possible because the certificate template is not displayed. The error message is "Can not find a valid CSP in the local machine."

Assume the following scenario:

A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
Autoenrollment does not request a certificate from the desired certificate template, although it is enabled and the permissions are set accordingly.
The desired certificate template is not displayed when applying manually via the Microsoft Management Console (MMC). If the "Show all templates" check box is selected, the following error message is displayed for the desired certificate template:

Cannot find object or property.
Can not find a valid CSP in the local machine.

Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).

Since Windows 8, it has been possible for private keys for certificates to be protected with a - if available - Trusted Platform Module (TPM). This ensures that the key is truly non-exportable.

The process for setting up a certificate template that uses a Trusted Platform module is described below.