none
Certificate issued for the non-domain member showed as "having invaild digital signature" RRS feed

  • Question

  • Windows Certificate Authority (W2016) has issued certificate for the non domain server(W2016 as well).

    When I open certificate file on ANY domain member I can confirm that certificate is totally fine.

    If I open THE SAME certificate file on the NON-DOMAIN server, it shows as invalid:

    NON domain server has root and intermediate certificates imported in to its local certificate storage.

    What could be the reason for this behavior?


    Tuesday, October 22, 2019 1:40 AM

All replies

  • Hello Andrey Smetanin,

    Thank you for posting in our TechNet forum.

    Do we mean we request computer certificate through MMC on domain member, then we export this certificate and  copy this certificate file to NON domain server?

    If so, from the third part article What does the “This certificate has an invalid digital signature.” message actually mean?, we can see:

    The reason is to be found in the Public Key Length field. In this certificate the public key is only 512 bytes.



    We can specify the key length when creating the cert with by using the -len parameter, for details we can refer to the similar case: This certificate has an invalid digital signature


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 22, 2019 7:37 AM
    Moderator
  • Daisy,

    Thanks for the reply.

    We are trying to follow Microsoft instructions from here:

    https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure

    The certificate is requested on the non-domain Windows 2016 server with this command:

    "certreq -new VPNGateway.inf VPNGateway.req"

    After that we are moving "VPNGateway.req" file on the CA server IN THE DOMAIN and creating the certificate with this command:

    certreq -attrib “CertificateTemplate:RSA-cert” -submit VPNgateway.req VPNgateway.cer

    After that we are moving the file "VPNGateway.cer" on the NON-DOMAIN server

    and installing it.

    NON DOMAIN server shows certificate as bad (see my screenshots).

    The screenshots I provided are taken when I double click on the same

    "VPNGateway.cer" file . It is reported absolutely legit inside

    the domain, but shows wrong signature on NON DOMAIN server.

    I read the link you provided and run this command on the non-domain server:

    certutil -setreg chain\minRSAPubKeyBitLength 512

    Ii did not help, I am still having the bad signature

    reported on the NON DOMAIN server





    Tuesday, October 22, 2019 1:20 PM
  • Also, we are using this inf file :

    [Version]
    
    Signature="$Windows NT$"
    
    [NewRequest]
    Subject = "CN=ras.contoso.com"
    Exportable = FALSE
    KeyLength = 2048
    KeySpec = 1
    KeyUsage = 0xA0
    MachineKeySet = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    RequestType = PKCS10
    
    [Extensions]
    2.5.29.17 = "{text}"
    _continue_ = "dns=ras.contoso.com"

    Key length is set to 2038, so it should not be an issue

    Tuesday, October 22, 2019 1:30 PM
  • This is the the certificate dump

    X509 Certificate:
    Version: 3
    Serial Number: 4300000014acc1ee60090d32f3000100000014
    Signature Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
        Algorithm Parameters:
        05 00
    Issuer:
        CN=contoso-CA
        DC=contoso
        DC=com
      Name Hash(sha1): 44a2570aaf9b68e4cd56c0e7b216c81528fb487b
      Name Hash(md5): d24963c460f1b23a9e38af284ee4df1e
    
     NotBefore: 10/20/2019 9:00 PM
     NotAfter: 10/20/2020 1:19 PM
    
    Subject:
        CN=ras.contoso.com
      Name Hash(sha1): 702d4a4d14baf655509d646b9ca39dc5d4f1a33a
      Name Hash(md5): 65239c3a42360d7a5689df47545d40cd
    
    Public Key Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
        Algorithm Parameters:
        05 00
    Public Key Length: 2048 bits
    Public Key: UnusedBits = 0
        0000  30 82 01 0a 02 82 01 01  00 cc 31 8a e1 c7 4a 63
        0010  a5 6a 8d 64 90 80 95 f2  70 cd bb 09 9d 55 9b 9c
        0020  82 c8 c9 53 a3 cd 2c e3  98 81 69 ae fe 47 2e b0
        0030  02 c6 46 3b d4 f4 5e 8f  05 bb b6 d7 47 30 d0 5a
        0040  9f f6 c6 d0 dc 61 f3 c4  87 fc f5 0b 8d e6 d1 8b
        0050  26 04 5c 5b c6 4f b3 25  cf be 40 a5 b6 8e 9e fb
        0060  d3 73 ad 96 df f6 86 b6  54 34 65 4a f1 41 89 6a
        0070  dd 81 e8 85 16 7d 31 5e  f4 48 e5 e0 9b c5 3d aa
        0080  cf 48 ec a8 25 f4 63 b3  4d 0d fb 8e 7e 44 37 e8
        0090  fe c8 61 ff 2b 08 4a 44  77 93 4e b0 36 e7 b5 cc
        00a0  05 03 b7 49 c3 09 05 55  aa 32 fb 37 a2 52 f0 3b
        00b0  ec 1b 9d ca 93 eb fa e6  36 31 64 15 e2 86 cb 4b
        00c0  0d 89 d9 2a dc 21 30 2e  28 00 08 78 b2 b5 4f ea
        00d0  0e d6 5c 97 19 13 55 0a  e8 b7 11 cb 3a 9a 20 02
        00e0  74 09 d7 d8 a3 a8 17 9d  6f c4 c5 4f 37 ab 2a d0
        00f0  56 f0 ff 1a 16 2d 77 4e  51 78 32 68 ac 15 6c 6d
        0100  a6 5d c4 50 82 b7 28 57  ed 02 03 01 00 01
    Certificate Extensions: 10
        2.5.29.15: Flags = 1(Critical), Length = 4
        Key Usage
            Digital Signature, Key Encipherment (a0)
    
        1.2.840.113549.1.9.15: Flags = 0, Length = 6b
        SMIME Capabilities
            [1]SMIME Capability
                 Object ID=1.2.840.113549.3.2
                 Parameters=02 02 00 80
            [2]SMIME Capability
                 Object ID=1.2.840.113549.3.4
                 Parameters=02 02 00 80
            [3]SMIME Capability
                 Object ID=2.16.840.1.101.3.4.1.42
            [4]SMIME Capability
                 Object ID=2.16.840.1.101.3.4.1.45
            [5]SMIME Capability
                 Object ID=2.16.840.1.101.3.4.1.2
            [6]SMIME Capability
                 Object ID=2.16.840.1.101.3.4.1.5
            [7]SMIME Capability
                 Object ID=1.3.14.3.2.7
            [8]SMIME Capability
                 Object ID=1.2.840.113549.3.7
    
        2.5.29.14: Flags = 0, Length = 16
        Subject Key Identifier
            f4 7e da f5 62 bc 5a f3 16 e9 9b 48 6b 4a 99 7b 63 51 2e 95
    
        2.5.29.17: Flags = 0, Length = 13
        Subject Alternative Name
            DNS Name=ras.contoso.com
    
        2.5.29.35: Flags = 0, Length = 18
        Authority Key Identifier
            KeyID=9a e2 94 a2 be 4b bf 64 37 9c 4a c4 72 6c a1 5d 35 1f 10 62
    
        2.5.29.31: Flags = 0, Length = be
        CRL Distribution Points
            [1]CRL Distribution Point
                 Distribution Point Name:
                      Full Name:
                           URL=ldap:///CN=contoso-CA(1),CN=CA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=contoso-CA(1),CN=CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint)
    
        1.3.6.1.5.5.7.1.1: Flags = 0, Length = d7
        Authority Information Access
            [1]Authority Info Access
                 Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
                 Alternative Name:
                      URL=ldap:///CN=contoso-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com?cACertificate?base?objectClass=certificationAuthority (ldap:///CN=contoso-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso,DC=com?cACertificate?base?objectClass=certificationAuthority)
            [2]Authority Info Access
                 Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
                 Alternative Name:
                      URL=http://ca.contoso.com/ocsp
    
        1.3.6.1.4.1.311.21.7: Flags = 0, Length = 2f
        Certificate Template Information
            Template=1.3.6.1.4.1.311.21.8.16008430.4449338.2376090.5816829.11915234.36.16516260.1969888
            Major Version Number=100
            Minor Version Number=9
    
        2.5.29.37: Flags = 0, Length = 20
        Enhanced Key Usage
            Server Authentication (1.3.6.1.5.5.7.3.1)
            IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
            Client Authentication (1.3.6.1.5.5.7.3.2)
    
        1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26
        Application Policies
            [1]Application Certificate Policy:
                 Policy Identifier=Server Authentication
            [2]Application Certificate Policy:
                 Policy Identifier=IP security IKE intermediate
            [3]Application Certificate Policy:
                 Policy Identifier=Client Authentication
    
    Signature Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
        Algorithm Parameters:
        05 00
    Signature: UnusedBits=0
        0000  56 0d 9f c9 10 40 cc b7  4e da 8c 24 95 0d 38 56
        0010  eb 8e cd 60 fd 42 3d 95  43 f9 50 57 a5 bf e7 05
        0020  66 26 60 4d 3f aa 1d 43  87 11 e1 4f fa 96 21 06
        0030  b9 be 05 fa 4b dd f5 d6  38 d3 43 03 30 ac 5f 57
        0040  bb 44 36 7b ed 82 69 06  49 10 2b f1 9b 80 f5 25
        0050  08 15 55 50 08 47 c9 3b  9a 6f 7d 77 e0 13 74 8c
        0060  8b 51 39 76 ad 21 c3 e4  96 81 ea b1 c1 41 1f e2
        0070  14 e2 03 82 cb 73 60 d1  bf f5 5f dc 32 45 e9 78
        0080  9a 6d f5 3a db 95 26 6e  ef 2b 6a c3 44 f3 45 16
        0090  85 0d 83 e2 83 16 d7 fb  16 74 72 40 03 ff 1b 83
        00a0  c9 af a6 5e 64 d6 ac 9c  bb 2f 3f af c0 4e e8 6b
        00b0  44 d1 5e f1 b5 2a 80 d3  0f 88 2d 8f a4 01 bd 80
        00c0  a4 1a ae 6a 44 b0 c3 8b  62 15 93 56 d7 e8 3f 1d
        00d0  ea 33 ee c3 10 19 a3 b5  e0 84 02 8e ba 13 2b bf
        00e0  63 c6 3a 4b fb 92 4e e6  90 df a5 f5 7e 79 f5 21
        00f0  f8 38 87 37 cf f1 f4 2a  90 18 8f 49 15 65 fd 0f
    Non-root Certificate
    Key Id Hash(rfc-sha1): f4 7e da f5 62 bc 5a f3 16 e9 9b 48 6b 4a 99 7b 63 51 2e 95
    Key Id Hash(sha1): 43 bc de 9b 90 11 08 a5 11 da 07 4e 20 d6 f2 25 2f d2 ec 2a
    Key Id Hash(md5): 68601dc4fd1b6518985977179264a666
    Key Id Hash(sha256): 2fe4f13ae1a7942ae75e92d067af61dec394ae6e0b7decdba9725377abf37c4c
    Cert Hash(md5): 56 41 34 67 de a7 c6 4c 14 cf 24 12 13 1c 7c c3
    Cert Hash(sha1): 55 0b 69 9b 94 cb d0 d6 91 27 84 f1 ec 0b d8 54 36 a9 bb de
    Cert Hash(sha256): 0f4250a966627975a0f87f034480a8eada030fb7f0c522dddb73a0515150e75b
    Signature Hash: df9b712645d29830618659f48f9f4ae6eeaafd77
    CertUtil: -dump command completed successfully.
    

    Tuesday, October 22, 2019 1:33 PM
  • Hi,
    In my test environment, I did a test as the method you provided, the same certificate is OK on domain machine and non-domain machine without any issue.

    1. I open the certificate with Notepad, it displayed as below. 




    2. And we can see Thumbprint on Details tab and Certificate Path.



    3. After I change 
    7rUkcR28e2c
    pRGEPQehJgq7G1mTRjTf8IINXCfOXrUtEzmCRFOnTU+66f0dYnKHbR/M1RXDtE6e
    q70=

    to 
    7rUkcR28e2c
    pRGEPQehJgq7G1mTRjTf8IINXCfOXrUtEzmCRFOnTU+66f0dYnKHbR/M1RXDtE6e
    p70=




    4. I will see the same display error as you, and the Thumbprint changed.




    We can check and compare the above information and other information on Details tab when the certificate on domain machine and non domain machine.

    If it does not work, please confirm the following information:

    1. If all the certificate requested through the above method you provided have the same problem?

    2. If we request one certificate in MMC, will the certificate have the same problem?

    3. If we copy the same certificate to other non domain machine, will the certificate have the same problem?

    4. If we copy the CA root certificate or other user certificate to non domain machine, will the certificate have the same problem?





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact 

    Wednesday, October 23, 2019 11:08 AM
    Moderator
  • Hi Daisy,

    As I understand you are trying to find out if the certificate being changed in transit. No. it's not.

    Thumbprints are identical. Even more, I can put the certificate file on the share on the domain controller and open the same file without even moving it around (from domain controller itself and from non-domain server accessing the share drive). Certificate is treated differently for some reason.

    I did the test on the second NON-DOMAIN machine and it showed certificate as invalid.

    Here are the answers on your questions:

    1. If all the certificate requested through the above method you provided have the same problem?

    YES
    2. If we request one certificate in MMC, will the certificate have the same problem?

    YES
    3. If we copy the same certificate to other non domain machine, will the certificate have the same problem?

    YES
    4. If we copy the CA root certificate or other user certificate to non domain machine, will the certificate have the same problem?

    If I import root CA and Intermediate CA into the root and intermediate storage, I have no problem and certificates are showing OK. Only end of the chain, computer certificate has this problem.


    Wednesday, October 23, 2019 6:52 PM
  • Hi,
    If we add this non-domain machine into the domain, will the certificate be OK?

    If so, we remove this machine from the domain, then this certificate will be the status we described?




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 25, 2019 10:45 AM
    Moderator
  • I have joined the non-domain machine the domain and certificate became OK.

    I have removed  this machine from  domain and after reboot certificate showing the same "bad signature".

    Sunday, October 27, 2019 2:40 AM
  • Hi,
    On non-domain machine:

    We can check whether the root CA certificate is in Trusted Root Certification Authorities->Certificates container.

    Whether the sub CA certificate is in Intermediate Certification Authorities->Certificates container.

    Whether the certificate is in Personal->Certificates container.






    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 28, 2019 10:38 AM
    Moderator
  • All above is correct.

    root CA certificate is in Trusted Root Certification Authorities->Certificates container.

    sub CA certificate is in Intermediate Certification Authorities->Certificates container.

    certificate itself is in Personal->Certificates container.

    Monday, October 28, 2019 2:51 PM
  • Hi,
    I am sorry for the late reply.

    I think this problem may not be solved in the general method. There is no such problem in my test environment. Maybe it is related to our environment, because the problem occurs in all the certificates. Can we use this certificate, if no, and the problem is important and urgent, I suggest we submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request. 

     
    The following web site for more detail of Professional Support Options and incident submission methods is for your reference: 

    https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

    https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers



    Thank you for your understanding and support.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 1, 2019 11:08 AM
    Moderator
  • Thank you for your time, DAisy.

    It is very strange problem.

    Friday, November 1, 2019 8:56 PM
  • Hi,
    You are welcome.

    As always, if there is any other question in future, we warmly welcome you to post in this forum again. We are happy to assist you!  


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 4, 2019 8:17 AM
    Moderator