locked
Is it possible to reset SubCA private key permissions? RRS feed

  • Question

  • I have a new CA running on Windows 2008 R2 which is failing to start after reboot, the SubCA certificate's private key permissions were "updated" in an ill-conceived attempt to provide read access for a softcert recovery process via network service.

    The CA fails to restart and in the event viewer application logs we see:

    --------------------

     Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          9/22/2014 3:59:44 PM
    Event ID:      100
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      SERVERNAME
    Description:
    Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  CA-NAME An internal error occurred. 0x80090020 (-2146893792).

    -----------------

    When trying to view the private key permissions through the MMC snap-in, a pop-up reports an internal error occured.

    We are also seeing warnings in the application logs:

    ----------------

    The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID related to certsrv.exe but its configuration matches a working CA when checked with the Component Services snap-in.

    -----------------

    Is there a way to use certutil -repairstore or other means to reset the default permissions on the private key and allow the CA to start? The CA is HSM attached for CSP and the security world is online and available.

    Thanks for any information or tips, search did not have any leads for this that I could find.

    Monday, September 22, 2014 8:15 PM

Answers

  • Hi Paul,

    To change permissions of private key, please locate the certificate under the sub CA’s (Local computer) Personal certificates store, then right-click on the certificate, select Manage private keys.

    System and Administrators should have full control on the private key.

    Best Regards,

    Amy

    Hi Amy,

    That was the process that got our admin into trouble in the first place oddly enough, When they attempted to grant network service read access (bad idea) both system and admins permissions were dropped! using the findprivatekey tool failed as well. I think that was because the private key material is protected by HSM.

    Our solution turned to be incredibly simple, and had it been a "normal" private key search would've been exposed sooner. Since we do have an HSM in place the flatfiles are under a different location under programdata. In an attempt ro restore the previous files I tried to move and replace them from our RFS. I received an access denied for one file and a dialog saying I needed the admin's permission to access the file. I right clicked the complaining file, found it had network service read writes only! I removed that, added full system and administrator writes and the CA fired up immediately.

    Thanks for the feedback, I need to lab test why the permissions were mangled by the admins attempt to add network service to see if it was a glitch, HSM related, or an unreported mouse click or two...

    Thanks again,

    Paul

    Thursday, September 25, 2014 4:36 PM

All replies

  • Hi Paul,

    Are you able to access the certificate with domain administrator credentials?

    Have you tried to renew one?

    Best Regards,

    Amy

    Tuesday, September 23, 2014 9:53 AM
  • Morning Amy,

    Thanks for the reply, I temporarily elevated my admin account to enterprise admin and the symptoms are the same. I was able to generate a renewal request, which I will try to process once the second part of my two person control to our offline root arrives...

    Paul


    update: renewed cert did not resolve the issue either. My assumption is even though the certificate is renewed, the original is time valid and the certsrv is still trying to access it.
    Tuesday, September 23, 2014 12:50 PM
  • Hi Paul,

    To change permissions of private key, please locate the certificate under the sub CA’s (Local computer) Personal certificates store, then right-click on the certificate, select Manage private keys.

    System and Administrators should have full control on the private key.

    Best Regards,

    Amy

    Thursday, September 25, 2014 9:04 AM
  • Hi Paul,

    To change permissions of private key, please locate the certificate under the sub CA’s (Local computer) Personal certificates store, then right-click on the certificate, select Manage private keys.

    System and Administrators should have full control on the private key.

    Best Regards,

    Amy

    Hi Amy,

    That was the process that got our admin into trouble in the first place oddly enough, When they attempted to grant network service read access (bad idea) both system and admins permissions were dropped! using the findprivatekey tool failed as well. I think that was because the private key material is protected by HSM.

    Our solution turned to be incredibly simple, and had it been a "normal" private key search would've been exposed sooner. Since we do have an HSM in place the flatfiles are under a different location under programdata. In an attempt ro restore the previous files I tried to move and replace them from our RFS. I received an access denied for one file and a dialog saying I needed the admin's permission to access the file. I right clicked the complaining file, found it had network service read writes only! I removed that, added full system and administrator writes and the CA fired up immediately.

    Thanks for the feedback, I need to lab test why the permissions were mangled by the admins attempt to add network service to see if it was a glitch, HSM related, or an unreported mouse click or two...

    Thanks again,

    Paul

    Thursday, September 25, 2014 4:36 PM
  • Hi Paul,

    Glad to hear that you have resolved the issue, and thank you for your sharing!

    Your post is very beneficial to other people who have similar issues.

    Best Regards,

    Amy

    Friday, September 26, 2014 12:58 AM