Certification body - Page 19

The certification authority service does not start and throws the error message "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)".

Assume the following scenario:

A certification authority is implemented in the network.
The certification authority service does not start.
When trying to start the Certification Authority service, you get the following error message:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

Certificate request fails with error message "The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)".

Assume the following scenario:

A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority)
The certificate request fails with the following error message:

The certificate request could not be submitted to the certification authority. Error: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)

Cryptography basics

The need for the use for cryptography can be summarized under the notion of ensuring secure communication in the presence of untrusted third parties. The goals of cryptography are:

To prevent data from falling into unauthorized hands (To ensure the confidentiality of data).
Find out if data has been modified during transport (Ensure the integrity of the data).
To clearly identify the source of the data (To ensure the authenticity of the data).
Additionally, users or computers can authenticate themselves using cryptography.

Editing the NTAuthCertificates object in Active Directory

In the default configuration, all certification authority certificates of Active Directory integrated certification authorities (Enterprise Certification Authority) are located in an object of type CertificationAuthority named NTAuthCertificates within the Configuration Partition of the Active Directory forest.

Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
Publishing the certificate revocation list fails with the following error message:

Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Publishing a certificate revocation list (CRL) fails with the error message "Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)".

Assume the following scenario:

An attempt is made to publish a new certificate revocation list (CRL) on a certification authority.
The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
Publishing the certificate revocation list fails with the following error message:

Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)

Advanced queries against the certification authority database

The Certification Authority database stores much of the information about a Certification Authority's activities. Among other things, it contains information about:

Certificates issued
Revoked certificates
Published blacklists
Pending certificate requirements
Rejected certificate requests
Failed certificate requests

Viewing the contents of the certification authority database is usually done via the certification authority's management console (certsrv.msc), but the possibilities for evaluation and especially for machine processing are very limited.

Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Here's the scenario:

A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
The certificate request fails with the following error message:

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

Requesting a certificate fails with the error message "The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).". When importing PFX files, the private key is missing.

Here's the scenario:

The import of a PFX file seems to be successful, but afterwards the private key is missing. A check with certutil ends with the error message "Missing stored keyset".
Requesting a certificate on a client fails with the following error message:

The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation. 0x80090345 (-2146892987 SEC_E_DELEGATION_REQUIRED).

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

Requesting a certificate for a domain controller fails.
On the certification authority, the certificate request is logged in the failed requests. The error message reads:

The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)

Incremental backups of the certification authority database fail with the error message "The database missed a previous full backup before incremental backup".

Assume the following scenario:

You use certutil.exe or the PowerShell commandlet Backup-CAService to back up your Active Directory Certificate Services database.
In addition to a full backup, you also perform regular incremental backups of the CA database.
The incremental backups fail with error message "The database missed a previous full backup before incremental backup".

Incremental database backup for...
 Backing up Log files: 0rtUtil: -backupDB command FAILED: 0xc8000230 (ESE: -560 JET_errMissingFullBackup)
 CertUtil: The database missed a previous full backup before incremental backup

Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

Assume the following scenario:

You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
However, the desired certificate template is not displayed for selection, even though it has been correctly published on the certification authority.
The logged-in user (or computer) also has the necessary permissions to request certificates from the certificate template in question (enroll).
In the list of available certificate templates within the MMC, all certificate templates are displayed. At the desired certificate template is written:

A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.