Category: Troubleshooting

Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • The connection to the CEP fails and the user receives the following error message:
Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
Continue reading „Die Beantragung eines Zertifikats über die Certificate Enrollment Web Services schlägt fehl mit Fehlermeldung „Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)““

(Mass) deletion of entries in the certification authority database (certificates, requirements, revocation lists)

Sometimes it happens that the database of the certification authority becomes extremely large. Perhaps a large number of certificate requests have arrived unnoticed and have been rejected, or perhaps there are many certificates in the database that have been issued twice. Before the certification authority database compacts can be used, these entries must first be deleted in order to free up the storage space in the database.

Continue reading „(Massenhaftes) Löschen von Einträgen in der Zertifizierungsstellen-Datenbank (Zertifikate, Anforderungen, Sperrlisten)“

Viewing the certificate authority database revocation list table

By default, the certification authority stores all revocation lists that have not yet expired in the certification authority database.

Under certain circumstances, e.g. due to a misconfigured script, a large number of blacklists are stored in the database in this way, which can lead to a corresponding growth of the database (e.g. if large blacklists are recreated very often).

Continue reading „Einsicht in die Sperrlisten-Tabelle der Zertifizierungsstellen-Datenbank“

Role configuration for the Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)".

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server
  • One has the necessary permissions to install the role (local administrator, enterprise administrator)
  • The role configuration fails with the following error message: 
Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to enroll RA certificates. The RPC Server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)““

Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)".

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server.
  • One has the necessary permissions to install the role (local administrator, enterprise administrator).
  • The role configuration fails with the following error message: 
Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)““

Role configuration for Network Device Enrollment Service (NDES) fails with error message "Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

  • One installs a Network Device Enrollment Service (NDES) server.
  • The role configuration fails with the following error message:
Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS
Continue reading „Die Rollenkonfiguration für den Registrierungsdienst für Netzwerkgeräte (NDES) schlägt fehl mit Fehlermeldung „Insufficient access rights to perform this operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)““

Viewing the certificate store of the online responder (OCSP) and checking the signature certificates

Sometimes it is necessary to verify a signature certificate of an online responder, for example when the connection to the (if present) Hardware Security Module (HSM) has to be verified. The online responder uses its own certificate store when the certificates are automatically retrieved from a certificate authority.

Continue reading „Einsicht in den Zertifikatspeicher des Onlineresponders (OCSP) und Überprüfung der Signaturzertifikate“

certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • Domain controllers have certificates for LDAP over SSL.
  • The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
  • If you run certutil -dcinfo, the command reports the following error message:
0 KDC certificates for DC01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „certutil -dcinfo schlägt fehl mit Fehlermeldung „KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Publishing a certificate revocation list (CRL) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

  • A new revocation list is created on the certification authority.
  • The certification authority is configured to publish revocation lists to a network path.
  • Publishing fails with the following error message:
Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Veröffentlichung einer Zertifikatsperrliste (CRL) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““

Publishing a certificate revocation list (CRL) fails with error message "The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)".

Assume the following scenario:

  • A new revocation list is created on the certification authority.
  • Publishing fails with the following error message:
The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
Continue reading „Die Veröffentlichung einer Zertifikatsperrliste (CRL) schlägt fehl mit Fehlermeldung „The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)““

Disabling the SMTP Exit Module of a Certification Authority

Assume the following scenario:

  • The certification authority is configured to send e-mail notifications about the events on the certification authority only using the SMTP Exit module.
  • The configured SMTP server is unreachable, for example due to a failure.

In this case, the exit module cannot deliver the email notifications. It will time out and the certificate authority will work very slowly.

Continue reading „Deaktivieren des SMTP Exit-Moduls einer Zertifizierungsstelle“

The online responder (OCSP) requests new signature certificates every four hours

Assume the following scenario:

  • The online responders are configured to request signing certificates using a certificate template from an Active Directory integrated certificate authority.
  • The online responders apply for a new signature certificate at regular intervals (every four hours), even though the existing certificate is still valid for a sufficiently long time.
Continue reading „Der Onlineresponder (OCSP) beantragt alle vier Stunden neue Signaturzertifikate“

Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Here's the scenario:

  • A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)““

Requesting a certificate fails with the error message "The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).". When importing PFX files, the private key is missing.

Here's the scenario:

  • The import of a PFX file seems to be successful, but afterwards the private key is missing. A check with certutil ends with the error message "Missing stored keyset".
  • Requesting a certificate on a client fails with the following error message:
The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).“. Beim Import von PFX-Dateien fehlt der private Schlüssel.“

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

  • Requesting a certificate for a domain controller fails.
  • On the certification authority, the certificate request is logged in the failed requests. The error message reads:
The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)
Continue reading „Die Beantragung eines Zertifikats für Domänencontroller schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)““
en_USEnglish
de_DEDeutsch en_USEnglish