Hardware Security Module (HSM) - Page 2

Details of the event with ID 53 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	53 (0x35)
Event log:	Application
Event type:	Warning
Symbolic Name:	MSG_DN_CERT_DENIED_WITH_INFO
Event text (English):	Active Directory Certificate Services denied request %1 because %2. The request was for %3. Additional information: %4
Event text (German):	The request %1 was rejected because %2. The request was for %3. More information: %4

Use the Onlineresponder (OCSP) with a SafeNet Hardware Security Module (HSM)

With the SafeNet Key Storage Provider it is not possible to set permissions on the private keys: the Microsoft Management Console (MMC) will crash.

Which Cryptographic Service Provider (CSP) should be used for the Network Device Enrollment Service (NDES)?

When configuring a certificate template for the Registration Authority (RA) certificates for the Network Device Enrollment Service (NDES), the question arises, especially when using Hardware Security Modules (HSM), which Cryptographic Service Provider (CSP) of the HSM manufacturer should be used.

Certificate request fails with error message "Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA)."

Assume the following scenario:

A user sends a certificate request to a certificate authority.
The certificate request fails with the following error message:

Bad Data. 0x80090005 (-2146893819 NTE_BAD_DATA).
Denied by Policy Module.

Checking the connection to the private key of a certificate (e.g. when using a hardware security module)

For a function test or during troubleshooting, it can be useful to check whether the private key of a certificate is usable. If the key is secured with a hardware security module (HSM), for example, there are significantly more dependencies and possibilities for errors than with a software key.

Restoring a certification authority from backup

The following describes how to restore a certification authority from backup. In addition to the disaster case, this procedure is also part of the Migration of a certification authority to a new server.

Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)

The following describes how to restore a certificate authority certificate with software key.

Restoring the certification authority certificate may be necessary for the following reasons:

Role configuration for Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)".

Assume the following scenario:

One installs a Network Device Enrollment Service (NDES) server.
One has the necessary permissions to install the role (local administrator, enterprise administrator).
The role configuration fails with the following error message:

Failed to enroll RA certificates. The endpoint is a duplicate. 0x800706cc (WIN32: 1740 RPC_S_DUPLICATE_ENDPOINT)

Viewing the certificate store of the online responder (OCSP) and checking the signature certificates

Sometimes it is necessary to verify a signature certificate of an online responder, for example when the connection to the (if present) Hardware Security Module (HSM) has to be verified. The online responder uses its own certificate store when the certificates are automatically retrieved from a certificate authority.