The partition of the Hardware Security Module (HSM) runs full

Assume the following scenario:

  • A Certification Authority uses a Hardware Security Module (HSM).
  • The partition of the hardware security module fills up with more and more keys over the lifetime of the certificate authority.
  • At SafeNet hardware security modules, this can even cause the partition to fill up. As a result, the events 86 and 88 logged by the Certification Authority.
Continue reading „Die Partition des Hardware Security Moduls (HSM) läuft voll“

When restoring a certification authority, the certification authority certificate is not selectable during role installation

Assume the following scenario:

Continue reading „Bei der Wiederherstellung einer Zertifizierungsstelle ist das Zertifizierungsstellen-Zertifikat bei der Rollen-Installation nicht auswählbar“

Installation of a certificate authority certificate fails with error message "Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)".

Assume the following scenario:

  • A new certification authority is installed.
  • After configuring the certification authority role and issuing the certification authority certificate, it should now be installed on the certification authority.
  • A hardware security module (HSM) is used to protect the private key of the certification authority certificate.
  • The installation of the certificate authority certificate fails with the following error message:
An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
The new certificate public key does not match the current outstanding request.
The wrong request may have been used to generate the new certificate: Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)
Continue reading „Die Installation eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlermeldung „Object was not found. 0x80090011 (-2146893807 NTE_NOT_FOUND)““

Reconnecting to the private key fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

Cannot find the certificate and private key for decryption.
CertUtil: -repairstore command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.
Continue reading „Die Wiederherstellung der Verbindung zum privaten Schlüssel schlägt fehl mit Fehlermeldung „Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Details of the event with ID 55 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:55 (0x825A0037)
Event log:Application
Event type:Warning
Event text (English):Certificate enrollment for %1 for the %2 template could not find specified CSPs on the local machine. Enrollment will not be performed.
Event text (German):No specified CSPs could be found from the certificate registration for %1 for template %2. The registration is not performed.
Continue reading „Details zum Ereignis mit ID 55 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

The Certificate Authority service fails to start and throws the error message "Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL)."

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).““

The certification authority service does not start and throws the error message "The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)".

Assume the following scenario:

  • A certification authority is installed.
  • The installation is successful, but the Certificate Authority service does not start after the installation.
  • When trying to start the Certificate Authority service from the Certificate Authority Management Console, you receive the following error message:
The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
The policy module for a CA is missing or incorrectly registered. To view or change policy module settings, right-click on the CA, click Properties, and then click the Policy Module tab.
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)““

Certificate request fails with error message "A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

  • A certificate is requested from a certification authority.
  • The certificate is successfully issued by the Certification Authority.
  • However, when installing the certificate on the target system, the following error message occurs:
A certificate issued by the certification authority cannot be installed. Contact your administrator.
Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““

Signing certificates bypassing the certification authority

Time and again in discussions about the security of a certification authority, it comes up that abuse of the certification authority could be contained by its security settings.

However, the fact that the integrity of a certification authority is directly tied to its key material and can therefore also be compromised by it is not obvious at first glance.

one must think of the certification authority software as a kind of management around the key material. For example, the software provides a Online interface for Certificate Enrollment takes care of the authentication of the enrollees, the automated execution of signature operations (issuing certificates and Brevocation lists) and their logging (Certification Authority Database, Audit log, Event log).

However, signature operations require nothing more than the private key of the certification authority. The following example shows how an attacker, given access to the certification authority's private key, can generate and issue certificates without the certification authority software and its security mechanisms being aware of this.

With such a certificate, it would even be possible in the worst case, take over the Active Directory forest undetected.

Continue reading „Signieren von Zertifikaten unter Umgehung der Zertifizierungsstelle“

The installation of a certificate authority certificate fails with error code "NTE_PROVIDER_DLL_FAIL".

Assume the following scenario:

  • A certification authority is installed.
  • The certificate authority uses a Gemalto/SafeNet Hardware Security Module (HSM) with the SafeNet Luna Key Storage Provider.
  • After the certification authority certificate is issued by the parent certification authority, it is installed to complete the role configuration.
  • The installation of the certificate authority certificate fails with the following error message:
An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
The new certificate public key does not match the current outstanding request.
The wrong request may have been used to generate the new certificate: Provider DLL failed to initialize correctly.
0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL)
Continue reading „Die Installation eines Zertifizierungsstellen-Zertifikats schlägt fehl mit Fehlercode „NTE_PROVIDER_DLL_FAIL““

Installation of a certificate authority fails with error code ERROR_INVALID_PARAMETER

Assume the following scenario:

  • A certification authority is installed
  • The role configuration fails with the following error message:
CCertSrvSetupProperty: The parameter is incorrect. 0x80070057 (WIN32: ERROR_INVALID_PARAMETER).
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlercode ERROR_INVALID_PARAMETER“

Installation of a certificate authority fails with error code "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

  • An attempt is made to install a certificate authority
  • The role configuration fails with the following error message:
An error occurred when creating the new key container "ADCS Labor Issuing CA 3". Please make sure the CSP is installed correctly or select another CSP.
Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Continue reading „Die Installation einer Zertifizierungsstelle schlägt fehl mit Fehlercode „Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).““

Details of the event with ID 4880 of the source Microsoft-Windows-Security-Auditing

Event Source:Microsoft Windows Security Auditing
Event ID:4880 (0x1310)
Event log:Security
Event type:Information
Event text (English):Certificate Services started. Certificate Database Hash: %1 Private Key Usage Count: %2 CA Certificate Hash: %3 CA Public Key Hash: %4
Event text (German):The certificate services have been started. Certificate database hash: %1 Private key usage count: %2 Certification authority hash: %3 Certification authority public key hash: %4
Continue reading „Details zum Ereignis mit ID 4880 der Quelle Microsoft-Windows-Security-Auditing“

Details of the event with ID 130 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:130 (0x82)
Event log:Application
Event type:Error
Symbolic Name:MSG_E_CRL_CREATION
Event text (English):Active Directory Certificate Services could not create a certificate revocation list. %1. This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.
Event text (German):No certificate revocation list could be created by Active Directory Certificate Services. %1. This may cause an error to occur in applications that require checking the revocation status of certificates issued by this certificate authority. The certificate revocation list can be manually recreated by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.
Continue reading „Details zum Ereignis mit ID 130 der Quelle Microsoft-Windows-CertificationAuthority“

Details of the event with ID 100 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:100 (0x64)
Event log:Application
Event type:Error
Symbolic Name:MSG_E_CA_CERT_INVALID
Event text (English):Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. %1 %2.
Event text (German):The Active Directory certificate services were not started: The current certification authority certificate could not be loaded or verified. %1 %2.
Continue reading „Details zum Ereignis mit ID 100 der Quelle Microsoft-Windows-CertificationAuthority“
en_USEnglish