登入
 
首頁文件庫學習園地下載支援社群論壇
IT 專業人員的技術資源 > 論壇首頁 > Security > Windows XPsp3 client cannot obtain certificate from Windows 2008R2 Enterprise Issuing CA
發問發問
搜查論壇:
 

已答覆Windows XPsp3 client cannot obtain certificate from Windows 2008R2 Enterprise Issuing CA

  • 2009年11月18日 下午 03:14Arie de Haan 使用者勳章使用者勳章使用者勳章使用者勳章使用者勳章
     
    登入以投票
    0
    登入以投票

    When requesting a certificate with a Windows XP sp3 client through the webinterface, the issued certificate cannot be installed. The error dialog box states:
    Unable to install the certificate: Error: 0x80090008 (this happens when using IE6,7 or 8)
    When doing the same procedure from a Windows 7 (IE8) client, the certificate can be installed

    As far as I could research this means that an invalid algorithm is used.


    The errors i see on the IssuingCA are the following. This occurs around the same time when a certificate is requested

    When a certificate is requested which needs approval it ends up in de Pending Requests (e.g. this is requestid 141). When this request is Issued, it is displayed in the Issued certificates, and it can be seen by the client when it requests the status. What happens on the CA is that another a requested 142 ends up in the Failed Requests list due to Request Status Code:“The certificate has invalid policy. 0x800b0113 (-2146762477)” and Request Disposition Message: “Requested by <domain>\<user> Invalid Application Policies: 1.3.6.1.4.1.311.21.5”. This is also represented in the Application Windows eventlog.

     

    I also see the error on the CA (the same invalid application policy message) when using pkiview.msc and when hitting the refresh option in pkiview.msc on this IssuingCA.

     

    What I found is:
    When requesting a certificate with for instance Windows Xp or Windows 7, the Issuing CA needs a CAExchange certificate, as stated in
    http://msdn.microsoft.com/en-us/library/cc249706(PROT.10).aspx#endNote13

    a windows client needs the CA to able to present a CA Exchange OID = 1.3.6.1.4.1.311.21.5 certificate

    in
    http://msdn.microsoft.com/en-us/library/cc250045(PROT.10).aspx#id13
    is states that a 2008R2 will automatically makes such a certificate

    The CA architecture is. offline RootCA, offline PolicyCA, enterprise IssuingCA. RootCA & PolicyCA have no entry for enhancekeyusageextensions in the CAPolicy.inf, IssuingCA has enhancekeyusageextensions in the CAPolicy.inf. 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3, 1.3.6.1.4.1.311.10.3.12

    So there is possibly a configuration error and would like to correct the CAExchange OID issues.

    But far more important is to solve the error with the Windows XP sp3 client. I don’t know if these two are related.
    Greetz,

    Arie de Haan
    MVP SCOM
    This posting is provide "AS IS" with no guarantees, warranties, rigths etc.
     

解答

所有回覆

  • 2009年11月18日 下午 03:44Paul AdareMVP使用者勳章使用者勳章使用者勳章使用者勳章使用者勳章
     
    登入以投票
    0
    登入以投票
    What OS are the CAs running? My guess, without knowing the details is that they are running at least Server 2008 and that they are configured to use CNG which is not supported on XP. What type of certificate template are you using (V1, V2, or V3)?
    Paul Adare CTO IdentIT Inc. ILM MVP
     
  • 2009年11月18日 下午 04:23Arie de Haan 使用者勳章使用者勳章使用者勳章使用者勳章使用者勳章
     
    登入以投票
    0
    登入以投票
    Hi Paul,

    Thanks for the reply.

    I forgot to mention it in the post, but the OS version was in the title :)

    Anyways, it is a 2008 R2 enterprise CA in a Windows 2003 domain. There is an offline standalone rootca (W2K8R2) and offline standalone policyca (W2K8R2)
    The requested certificates are from V1 & V2 templates (code signing & copy of code signing) so afaik no CNG possibilities
    the issuing CA uses a Signature algorithm of sha256RSA
    thumbprint algorithm sha1
    i've tried with settings
    - certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1
    and
    - certutil -setreg CA\csp\DiscreteSignatureAlgorithm 0
    did a net stop certsvc & net start certsvc after changing settings.




    Greetz,

    Arie de Haan
    MVP SCOM
    This posting is provide "AS IS" with no guarantees, warranties, rigths etc.
     
  • 2009年11月19日 上午 03:22Joson ZhouMSFT, 版主使用者勳章使用者勳章使用者勳章使用者勳章使用者勳章
     已答覆
    登入以投票
    0
    登入以投票

    Hi,

     

    Please install the hotfix KB968730 and check if the issue can be resolved:

     

    Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption

    http://support.microsoft.com/kb/968730

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • 2009年11月19日 上午 10:48Arie de Haan 使用者勳章使用者勳章使用者勳章使用者勳章使用者勳章
     
    登入以投票
    0
    登入以投票
    Hi Joson,

    Great catch, the errors where not the same as mentioned in the kb and I also couldn't find anything in the eventlog on the client. But, the hotfix worked for the error on installing the certificate.

    Only thing left is that when a certificate is requested through for instance the webinterface there is a request for a certificate (with a requestid 1 lower than that on the client) with extension 1.3.6.1.4.1.311.21.5
    which the kb did not solve.
    Greetz,

    Arie de Haan
    MVP SCOM
    This posting is provide "AS IS" with no guarantees, warranties, rigths etc.
     
  • 2009年11月23日 上午 10:30Joson ZhouMSFT, 版主使用者勳章使用者勳章使用者勳章使用者勳章使用者勳章
     
    登入以投票
    0
    登入以投票

    Hi,

    Glad that it helps.

    CA Exchange certificate is used for automatic key archival. Do you mean key archival does not work? For more information about key archival, please refer to the following article:

    Understanding Automatic Key Archival
    http://technet.microsoft.com/en-us/library/cc780041(WS.10).aspx

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • 2009年11月26日 下午 10:29Arie de Haan 使用者勳章使用者勳章使用者勳章使用者勳章使用者勳章
     
    登入以投票
    0
    登入以投票
    Hi Joson Zhou,

    The funny thing is that i do nothing with key archival.
    Also this error occurs when running the pkiview.msc tool on the issuingca.

    As i understand the IssuingCA should have requested this certificate automatically and the clients try to retrieve this.
    do you know of a way to check if that certificate was issued? I couldn't find it.

    Greetz,

    Arie de Haan
    MVP SCOM
    This posting is provide "AS IS" with no guarantees, warranties, rigths etc.
     
  • 2009年12月1日 上午 01:56Joson ZhouMSFT, 版主使用者勳章使用者勳章使用者勳章使用者勳章使用者勳章
     
    登入以投票
    0
    登入以投票

    Hi,

     

    Based on my research, the CA Exchange Certificate is only generated if a client requests a CA Exchange Certificate to encrypt data between the CA and client.

     

    Some typical things that will cause a CA Exchange Certificate to be used between the CA and the client are:

     

    1. Using Web Enrollment website.

    2. Enrolling for a Certificate where Key Archival has been configured.

    3. Enrolling for a certificate with an Enrollment Agent.

     

    If I understand correctly, you are using Web Enrollment page to request certificate. Therefore, the CA will try to generate a CA Exchange Certificate. However, the CA cannot generate the certificate, for it is restricted to issuing certificates for 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3, and 1.3.6.1.4.1.311.10.3.12 (1.3.6.1.4.1.311.21.5 is not included). That's why you encounter the error message “The certificate has invalid policy. 0x800b0113 (-2146762477)”.
     

    To resolve the issue, you can add the OID 1.3.6.1.4.1.311.21.5 in the [EnhancedKeyUsageExtension] section of the CAPolicy.inf file and then renew CA certificate for the issuing CA.

     

    If there is anything unclear, please feel free to let me know.

    This posting is provided "AS IS" with no warranties, and confers no rights.