To use the Online Certificate Status Protocol (OCSP), it is necessary to configure an appropriate certificate template.
Continue reading „Konfigurieren einer Zertifikatvorlage für Onlineresponder (OCSP) Antwortsignatur-Zertifikate“Tag: Key Storage Provider (KSP)
List of certificate use cases for which compatibility with elliptic curve (ECC)-based keys is known
As computing power becomes increasingly available, the need to use stronger cryptographic keys also increases. Often there is a need (for example, because the keys have to be protected by a trusted platform module) to use elliptic curves (ECC) based keys to be used. For their use, it is essential that compatibility with the intended use cases is ensured.
Below is a list of use cases for which I am aware of compatibility.
Continue reading „Liste der Use Cases der Zertifikate, für welche die Kompatibilität zu auf elliptischen Kurven (ECC) basierenden Schlüsseln bekannt ist“The partition of the Hardware Security Module (HSM) runs full
Assume the following scenario:
- A Certification Authority uses a Hardware Security Module (HSM).
- The partition of the hardware security module fills up with more and more keys over the lifetime of the certificate authority.
- At SafeNet hardware security modules, this can even cause the partition to fill up. As a result, the events 86 and 88 logged by the Certification Authority.
Requesting certificates with elliptic curve based keys fails when using Microsoft Platform Crypto Provider
Assume the following scenario:
- A certificate template is configured to elliptic curves based keys to be used.
- In addition, the certificate template is configured to use the Microsoft Platform Crypto Provider to use the private key with the Trusted Platform Module (TPM) of the device.
- The certificate request fails with the following error message:
Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
On Windows Server 2016, the error message "No provider was specified for the store or object. 0x80092006 (-2146885626 CRYPT_E_NO_PROVIDER)" is issued with otherwise identical behavior.
Continue reading „Die Beantragung von Zertifikaten mit auf elliptischen Kurven basierenden Schlüsseln schlägt fehl, wenn der Microsoft Platform Crypto Provider verwendet wird“When restoring a certification authority, the certification authority certificate is not selectable during role installation
Assume the following scenario:
- A Certification Authority will migrated to another server or restored from backup.
- A Thales (nCipher) hardware security module (HSM) is used to protect the private key of the certification authority certificate. Security World is configured with Operator Card Set (OCS) Protection.
- The Certification Authority certificate was successfully restored and associated with the private key stored on the HSM..
- When installing the certification authority role, the restored certification authority certificate cannot be selected.
Reconnecting to the private key fails with error message "Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"
Assume the following scenario:
- A Certification Authority will migrated to another server or restored from backup.
- A hardware security module (HSM) is used to protect the private key of the certification authority certificate.
- The certification authority certificate should now be installed on the target system. be restored and linked to the private key.
- The operation fails with the following error message:
Cannot find the certificate and private key for decryption. CertUtil: -repairstore command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND) CertUtil: Cannot find object or property.Continue reading „Die Wiederherstellung der Verbindung zum privaten Schlüssel schlägt fehl mit Fehlermeldung „Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““
Basics: Cryptographic Service Provider (CSP) and Key Storage Provider (KSP)
Since Windows NT 4.0, the Cryptographic Service Provider (CSP) has been part of the CryptoAPI.
The purpose is that an application does not have to worry about the concrete implementation of key management, but can leave this to generic operating system interfaces. It is also intended to prevent cryptographic keys from being loaded into memory in the security context of the user/application being used (a fatal security incident based precisely on this problem was the Heartbleed incident).
For example, it makes no technical difference to the certification authority software how its private key is protected - whether in software or with a hardware security module (HSM), for example. The call of the private key is always identical for the certification authority.
With Windows Vista and the introduction of Cryptography Next Generation (CNG) as a replacement for CryptoAPI, Key Storage Providers (KSP) were introduced.
Continue reading „Grundlagen: Cryptographic Service Provider (CSP) und Key Storage Provider (KSP)“Details of the event with ID 58 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll
| Event Source: | Microsoft-Windows-CertificateServicesClient-CertEnroll |
| Event ID: | 58 (0x825A003A) |
| Event log: | Application |
| Event type: | Warning |
| Event text (English): | The "%3" algorithm for the "%2" provider was not loaded because initialization failed. |
| Event text (German): | The "%3" algorithm for the "%2" provider was not loaded due to an initialization error. |
The Certificate Authority service fails to start and throws the error message "Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL)."
Assume the following scenario:
- A certification authority is implemented in the network.
- The certification authority service does not start.
- When trying to start the Certification Authority service, you get the following error message:
Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).Continue reading „Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „Provider DLL failed to initialize correctly. 0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL).““
List of use cases for certificates that require specific Cryptographic Service Providers (CSP) or Key Storage Providers (KSP).
Windows Server 2008, along with NSA Suite B algorithms (also known as Cryptography Next Generation, CNG) with Key Storage Providers, introduced a new, modern interface for generating, storing, and using private keys in the Windows ecosystem.
In most cases, it does not matter which CSP or KSP is used for certificates. However, some applications will not work or will not work correctly if the wrong provider is chosen.
Below is a list of use cases I know of for certificates that only work with a specific Cryptographic Service Provider (CSP) or Key Storage Provider (KSP).
Continue reading „Liste der Use Cases für Zertifikate, die bestimmte Cryptographic Service Provider (CSP) oder Key Storage Provider (KSP) benötigen“Certificate request fails with error message "A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"
Assume the following scenario:
- A certificate is requested from a certification authority.
- The certificate is successfully issued by the Certification Authority.
- However, when installing the certificate on the target system, the following error message occurs:
A certificate issued by the certification authority cannot be installed. Contact your administrator. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)Continue reading „Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „A certificate issued by the certification authority cannot be installed. Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)““
Requesting a certificate protected by a Trusted Platform Module (TPM) - without owning a TPM
Since Windows 8 it is possible, that private keys for certificates are protected with a - if available - Trusted Platform Module (TPM). This makes the key non-exportable - even with tools like mimikatz.
However, it is not obvious at first glance that it cannot be guaranteed that a TPM is really used. Although no application via Microsoft Management Console or AutoEnrollment possible if the computer does not have a TPM.
However, the configuration in the certificate template is merely a default setting for the client. The certification authority will not explicitly check whether a trusted platform module has actually been used when a request is made.
Thus - if the certificate request is done away from the MMC - arbitrary parameters can be used for the private key.
Continue reading „Beantragen eines durch ein Trusted Platform Modul (TPM) geschütztes Zertifikat – ohne ein TPM zu besitzen“Requesting a certificate is not possible because the certificate template is not displayed. The error message is "Can not find a valid CSP in the local machine."
Assume the following scenario:
- A certificate is requested for a user or a computer from a certificate authority via the certificate management console (certlm.msc or certmgr.msc).
- Autoenrollment does not request a certificate from the desired certificate template, although it is enabled and the permissions are set accordingly.
- The desired certificate template is not displayed when applying manually via the Microsoft Management Console (MMC). If the "Show all templates" check box is selected, the following error message is displayed for the desired certificate template:
Cannot find object or property. Can not find a valid CSP in the local machine.Continue reading „Die Beantragung eines Zertifikats ist nicht möglich, da die Zertifikatvorlage nicht angezeigt wird. Die Fehlermeldung lautet „Can not find a valid CSP in the local machine.““
Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).
Since Windows 8, it has been possible for private keys for certificates to be protected with a - if available - Trusted Platform Module (TPM). This ensures that the key is truly non-exportable.
The process for setting up a certificate template that uses a Trusted Platform module is described below.
Continue reading „Konfigurieren einer Zertifikatvorlage für die Verwendung des Microsoft Platform Crypto Provider, um Schutz des privaten Schlüssels durch ein Trusted Platform Module (TPM) zu ermöglichen“The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect."
Assume the following scenario:
- An NDES server is configured on the network.
- HTTP error 500 (Internal Server Error) is reported when accessing the NDES application web page (mscep) and the NDES administration web page (certsrv/mscep_admin).
- The events no. 2 and 10 stored in the application event log:
The Network Device Enrollment Service cannot be started (0x80070057). The parameter is incorrect.
The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.Continue reading „Der Registrierungsdienst für Netzwerkgeräte (NDES) protokolliert die Fehlermeldung „The Network Device Enrollment Service cannot retrieve one of its required certificates (0x80070057). The parameter is incorrect.““
English 
Deutsch