Category: Certificate usage

Certificate request fails with error message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)."

Assume the following scenario:

  • An attempt is made to request a certificate from a certificate authority (Enterprise CA) integrated into Active Directory for a user or computer.
  • The certificate request fails with the following error message:
The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE).
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE).““

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Your digital ID name cannot be found by the underlying security system" appears.

Assume the following scenario:

  • A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The message cannot be opened.
  • When opening the message, the following error message is displayed:
Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your digital ID name cannot be found by the underlying security system.
Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Your digital ID name cannot be found by the underlying security system.““

Microsoft Outlook: Correctly signed e-mails (S/MIME) are displayed as invalid after the signature certificate expires

Assume the following scenario:

  • A user has received an email message in the past.
  • The message was signed with an S/MIME certificate.
  • The sender's signature certificate was issued by a certification authority that has been granted trust status with the recipient.
  • Thus, the signature was recognized as valid at the time the message was received.
  • The user opens the mail again some time later and finds that the signature is classified as invalid.
Continue reading „Microsoft Outlook: Korrekt signierte E-Mails (S/MIME) werden nach Ablauf des Signaturzertifikats als ungültig angezeigt“

Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester."

  • A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The certificate request fails with the following error message:
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.““

Requesting certificates via Enroll on Behalf of (EOBO) fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)"

  • A certificate is requested for a user from a certification authority via the certificate management console (certmgr.msc).
  • One uses here the Enroll on Behalf of (EOBO) Mechanism.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats über Enroll on Behalf of (EOBO) schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““

Configuring the Trusted Platform Module (TPM) Key Attestation

Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.

However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.

However, the configuration in the certificate template is only a default setting for the client. The certification authority will, when requesting do not explicitly check whether a Trusted Platform Module was really used.

To ensure that the private key of a certificate request has really been protected with a Trusted Platform Module, only the TPM Key Attestation remains.

Continue reading „Konfigurieren der Trusted Platform Module (TPM) Key Attestation“

Manually requesting a web server certificate

There are cases in which you cannot or do not want to obtain web server certificates directly from a certification authority in your own Active Directory forest via the Microsoft Management Console, for example if the system in question is not a domain member.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Continue reading „Manuelle Beantragung eines Webserver-Zertifikats“

Details of the event with ID 4 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:4 (0x425A0004)
Event log:Application
Event type:Information
Event text (English):Certificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed.
Event text (German):Certificate enrollment for %1 could not access local resources or retrieve certificate template information for %2 (%3). No registration is performed.
Continue reading „Details zum Ereignis mit ID 4 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 13 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:13 (0xC25A000D)
Event log:Application
Event type:Error
Event text (English):Certificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5).
Event text (German):The certificate enrollment for %1 failed to enroll for a certificate %2 with request ID %4 of %3 (%5).
Continue reading „Details zum Ereignis mit ID 13 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 57 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:57 (0x825A0039)
Event log:Application
Event type:Information, Warning and Error
Event text (English):The "%2" provider was not loaded because initialization failed.
Event text (German):The "%2" provider was not loaded due to an initialization error.
Continue reading „Details zum Ereignis mit ID 57 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Details of the event with ID 82 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:82 (0x825A0052)
Event log:Application
Event type:Warning
Event text (English):Certificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3
Event text (German):Certificate registration error for %1 when authenticating for all URLs for the registration server associated with the following policy ID: %2 (%4). Error registering for template: %3
Continue reading „Details zum Ereignis mit ID 82 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

Certificate request fails with error message "A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • A certificate is requested from a certification authority.
  • The certificate is successfully issued by the Certification Authority.
  • However, when installing the certificate on the target system, the following error message occurs:
A certificate issued by the certification authority cannot be installed. Contact your administrator.
Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Requesting a certificate protected by a Trusted Platform Module (TPM) - without owning a TPM

Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.

However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.

However, the configuration in the certificate template is merely a default setting for the client. The certification authority will not explicitly check whether a trusted platform module has actually been used when a request is made.

Thus - if the certificate request is done away from the MMC - arbitrary parameters can be used for the private key.

Continue reading „Beantragen eines durch ein Trusted Platform Modul (TPM) geschütztes Zertifikat – ohne ein TPM zu besitzen“

Requesting a certificate is not possible because the certificate template is not displayed. The error message is "Can not find a valid CSP in the local machine."

Assume the following scenario:

  • A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
  • Autoenrollment does not request a certificate from the desired certificate template, although it is enabled and the permissions are set accordingly.
  • The desired certificate template is not displayed when applying manually via the Microsoft Management Console (MMC). If the "Show all templates" check box is selected, the following error message is displayed for the desired certificate template:
Cannot find object or property.
Can not find a valid CSP in the local machine.
Continue reading „Die Beantragung eines Zertifikats ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „Can not find a valid CSP in the local machine.““
en_USEnglish
de_DEDeutsch en_USEnglish