Details of the event with ID 87 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll

Event Source:Microsoft-Windows-CertificateServicesClient-CertEnroll
Event ID:87 (0xC25A0057)
Event log:Application
Event type:Error
Event text (English):SCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
Event text (German):SCEP certificate registration error for %1 over %2: %3 Method: %4 Phase: %5 %6
Continue reading „Details zum Ereignis mit ID 87 der Quelle Microsoft-Windows-CertificateServicesClient-CertEnroll“

No certificate is requested via autoenrollment if a user is connected via Virtual Private Network (VPN)

Assume the following scenario:

  • A user works remotely via Virtual Private Network (VPN)
  • Actually, a certificate should be requested via autoenrollment, but this is not done
  • A connection test (certutil -ping) to the certification authority throws the following error message:
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (31ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.
Continue reading „Es wird kein Zertifikat per Autoenrollment beantragt, wenn ein Benutzer per Virtual Private Network (VPN) verbunden ist“

Microsoft Outlook: Signed e-mail messages appear invalid with error message "No certificate was found to verify the signature of this message."

Assume the following scenario

  • A user receives an e-mail message signed with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The user (the recipient) uses Microsoft Outlook for Windows.
  • The sender uses Microsoft Outlook for Macintosh.
  • The certificate used to sign the message is valid.
  • The e-mail signature is displayed as invalid. Inspection of the signature reveals that no details about the signature certificate can be displayed.
Fehler: Es wurde kein Zertifikat zum Überprüfen der Signatur dieser Nachricht gefunden.
Signiert von (Name des Zertifikatsbetreffs unbekannt) unter Verwendung von RSA/SHA256 um 15:44:59 19.05.2021.
Continue reading „Microsoft Outlook: Signierte E-Mail Nachrichten erscheinen ungültig mit Fehlermeldung „Es wurde kein Zertifikat zum Überprüfen der Signatur dieser Nachricht gefunden.““

Microsoft Outlook: "This message cannot be encrypted or signed by Microsoft Outlook because there are no certificates for sending messages from the email address [...]."

Assume the following scenario:

  • A user wants to send a signed e-mail
  • The operation fails with the following error message:
Diese Nachricht kann von Microsoft Outlook weder verschlüsselt noch signiert werden, da keine Zertifikate für das Senden von Nachrichten von der E-Mail Adresse "rudi.ratlos@adcslabor.de" vorhanden sind. Fordern Sie entweder eine neue digitale ID für dieses Konto an, oder verwenden Sie die Schaltfläche "Konten", um die Nachricht mithilfe eines Kontos zu senden, für das Sie Zertifikate besitzen.
Continue reading „Microsoft Outlook: „Diese Nachricht kann von Microsoft Outlook weder verschlüsselt noch signiert werden, da keine Zertifikate für das Senden von Nachrichten von der E-Mail Adresse […] vorhanden sind.““

The Certificate Authority service fails to start and throws the error message "Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL)."

Assume the following scenario:

  • A certification authority is implemented in the network.
  • The certification authority service does not start.
  • When trying to start the Certification Authority service, you get the following error message:
Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).
Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).““

The "Application Policies" certificate extension

The purposes for which a digital certificate may be used are controlled via the certificate extensions "Key Usage" and "Extended Key Usage".

In the "Extended Key Usage" certificate extension, the extended key uses for which the certificate may be used.

However, there is another certificate extension called "Application Policies" for certificates issued by a Microsoft Certification Authority, which also contains a list very similar to the Extended Key Usages extension.

Continue reading „Die „Application Policies“ Zertifikaterweiterung“

New certificates are regularly requested via Autoenrollment

Assume the following scenario:

  • A certificate template is configured for automatic request and issuance (AutoEnrollment).
  • Users or computers apply for new certificates at regular intervals and long before the defined renewal period.
Continue reading „Es werden regelmäßig neue Zertifikate über Autoenrollment beantragt“

The key algorithm of certificate requests is not checked by the certification authority's policy module

Assume the following scenario:

  • A certificate template is configured to use elliptic curve based keys (e.g. ECDSA_P256).
  • As a result, a minimum key length of 256 bits is configured.
  • Nevertheless, certificate requests that use other ECC curves or RSA-based keys are also signed.
Continue reading „Der Schlüsselalgorithmus von Zertifikatanforderungen wird vom Policy Modul der Zertifizierungsstelle nicht überprüft“

SignTool installation without Windows Software Development Kit (SDK) installation

One way to perform code signatures is to use the SignTool command line tool. This is part of the Windows 10 Software Development Kit (SDK).

If you want to use the tool on a system without having to install Visual Studio or the Windows SDK, you can proceed as follows.

Continue reading „SignTool Installation ohne Installation des Windows Software Development Kit (SDK)“

Certificate request fails with error message "The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)".

Assume the following scenario:

  • A certificate is requested from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The request fails with the following error message:
An error occurred while enrolling for a certificate.
The certificate request could not be submitted to the certification authority.
Url: CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1
Error: The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)
Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „The request is not supported. 0x80070032 (WIN32: 50 ERROR_NOT_SUPPORTED)““

The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

  • A role configuration for the Certificate Enrollment Web Service (CES) is performed.
  • The role configuration fails with the following error message:
CCertificateEnrollmenServerSetup::InitializeInstallDefaults: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)““

The role configuration for the Certificate Enrollment Web Service (CES) fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE".

Assume the following scenario:

  • A role configuration for the Certificate Enrollment Web Service (CES) is performed.
  • The role configuration fails with the following error message:
The Certificate Enrollment Web Service Setup failed because the CA "CA02.intra.adcslabor.de\ADCS Labor Issuing CA 1" cannot  be contacted. Check the name, and confirm that the CA is properly configured and available. The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)   
Continue reading „Die Rollenkonfiguration für den Certificate Enrollment Web Service (CES) schlägt fehl mit Fehlermeldung „The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE““

Automatic renewal of manually requested certificates without intervention of a certificate manager

Assuming a use case is implemented for certificates where users specify the identity contained in the certificate in the certificate request, and this requires manual intervention by the certificate managers, the question arises as to how to proceed when the certificates expire or the certificate template is moved to another certification authority in order to minimize tickets at the help desk and thus the resulting work for the certificate managers.

Continue reading „Automatische Erneuerung manuell beantragter Zertifikate ohne Eingriff eines Zertifikatmanagers“

Microsoft Outlook: Emails encrypted with S/MIME cannot be opened. The error message "Internal error." appears.

Assume the following scenario:

  • A user receives an e-mail message encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME).
  • The message cannot be opened.
  • When opening the message, the following error message is displayed:
Leider besteht ein Problem beim Öffnen dieses Elements. Dies kann vorübergehend sein. Wenn dieser Fehler erneut auftritt, sollten Sie Outlook neu starten. Fehler im zugrunde liegenden Sicherheitssystem. Interner Fehler.
Continue reading „Microsoft Outlook: Mit S/MIME verschlüsselte E-Mails können nicht geöffnet werden. Es erscheint die Fehlermeldung „Interner Fehler.““
en_USEnglish