Certificate usage - Page 5 - Uwe Gradenegger

Basics: Cryptographic Service Provider (CSP) and Key Storage Provider (KSP)

Since Windows NT 4.0, the Cryptographic Service Provider (CSP) has been part of the CryptoAPI.

The purpose is that an application does not have to worry about the concrete implementation of key management, but can leave this to generic operating system interfaces. It is also intended to prevent cryptographic keys from being loaded into memory in the security context of the user/application being used (a fatal security incident based precisely on this problem was the Heartbleed incident).

For example, it makes no technical difference to the certification authority software how its private key is protected - whether in software or with a hardware security module (HSM), for example. The call of the private key is always identical for the certification authority.

With Windows Vista and the introduction of Cryptography Next Generation (CNG) as a replacement for CryptoAPI, Key Storage Providers (KSP) were introduced.

Remote desktop certificate request fails with error message "The permissions on the certificate template do not allow the current user to enroll for this type of certificate."

Assume the following scenario:

Machines are configured by group policy to request certificates for the remote desktop session host.
However, the certificates are not applied for.
In the event log of the affected system, the Event with ID 1064 of source Terminalservices-RemoteConnectionManager logged:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

Remote desktop certificate request fails with error message "The requested certificate template is not supported by this CA."

Assume the following scenario:

Machines are configured by group policy to request certificates for the remote desktop session host.
However, the certificates are not applied for or existing certificates expire without renewal.
In the event log of the affected system, the event with ID 1064 of the source Terminalservices-RemoteConnectionManager is logged:

The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.

The local certificate store for trusted root certificate authorities is not synchronized from Active Directory

Assume the following scenario:

A certification authority hierarchy is established in the network and the root certification authority is mapped in the configuration partition of the Active Directory forest.
Domain members are configured to run the autoenrollment process to update trusted root certificate authorities from the Configuration partition.
However, this process does not work for some clients. The root CA certificates are not automatically downloaded and entered into the local trust store.
As a consequence certificate requests can failbecause, for example, the certification authority hierarchy is not trusted.

Details of the event with ID 1 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	1 (0x1)
Event log:	Application
Event type:	Information
Event text (English):	Certificate Services Client has been started successfully.
Event text (German):	The certificate service client was started successfully.

Details of the event with ID 502 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	502 (0x1F6)
Event log:	Application
Event type:	Warning
Event text (English):	Certificate Services Client failed to register Group Policy notifications. Error code: %1.
Event text (German):	Error registering group policy notifications by the certificate service client. Error code: %1.

Details of the event with ID 4 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	4 (0x4)
Event log:	Application
Event type:	Information
Event text (English):	Certificate Services Client has detected network dis-connectivity.
Event text (German):	No network connectivity was detected by the certificate service client.

Details of the event with ID 2 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	2 (0x2)
Event log:	Application
Event type:	Information
Event text (English):	Certificate Services Client has been stopped.
Event text (German):	The certificate service client has been stopped.

Details of the event with ID 1001 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	1001 (0x3E9)
Event log:	Application
Event type:	Error
Event text (English):	Certificate Services Client failed to load Provider %1. Error code %2.
Event text (German):	Certificate service client: the provider %1 could not be loaded. Error code %2.

Details of the event with ID 3 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	3 (0x3)
Event log:	Application
Event type:	Information
Event text (English):	Certificate Services Client has detected network connectivity.
Event text (German):	Network connectivity was detected by the certificate service client.

Details of the event with ID 501 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	501 (0x1F5)
Event log:	Application
Event type:	Warning
Event text (English):	Certificate Services Client is triggered with bad parameters: %1.
Event text (German):	The certificate service client is triggered with incorrect parameters: %1.

Details of the event with ID 1003 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	1003 (0x3EB)
Event log:	Application
Event type:	Error
Event text (English):	Certificate Services Client failed to invoke the Providers in response to event %1. Error code %2.
Event text (German):	Certificate Service Client: Failed to invoke providers in response to event %1. Error code %2.

Details of the event with ID 1002 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	1002 (0x3EA)
Event log:	Application
Event type:	Error
Event text (English):	Certificate Services Client cannot find the required interface in Provider %1. Error code %2.
Event text (German):	Certificate Service Client: The required interface at provider %1 was not found. Error code %2.

Details of the event with ID 1004 of the source Microsoft-Windows-CertificateServicesClient

Event Source:	Microsoft-Windows-CertificateServicesClient
Event ID:	1004 (0x3EC)
Event log:	Application
Event type:	Error
Event text (English):	Certificate Services Client Provider %1 raised an exception. Exception code %2.
Event text (German):	Certificate Service Client: Provider %1 has reported an exception case. Exception code %2.

Details of the event with ID 95 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:	Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:	95 (0x425A005F)
Event log:	Application
Event type:	Information
Event text (English):	Successfully installed Logon Certificate for %1 Request thumbprint: %2 Thumbprint: %3 Process: %4
Event text (German):	The logon certificate for %1 was successfully installed. Request fingerprint: %2 Fingerprint: %3 Process: %4