Troubleshooting - Key Archival and Management in Windows Server 2003

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting KRA Configuration

This section identifies a number of common mistakes in configuring the KRAs on a CA. The most common error in archiving user private keys on a CA is that the CA is either not configured for key archival or does not have any valid KRA certificate(s) added.

  1. The number of recovery agents required by the CA must be less than or equal to the number of available KRA certificates. If an invalid number of recovery agents is entered, the following error message will appear.

    Art ImageFigure 42:  Invalid Number of Recovery Agents Error Message

  2. If an error occurs in trying to validate the KRA certificate when Certificate Services is started, the Recovery Agents tab on the Certification Authority will show that the selected KRA certificate is invalid. This can occur due to a corrupted certificate, corrupted registry entry, deleted certificate, revoked certificate, and so on. Figure 43 shows an example of a corrupted certificate or registry entry on the Recovery Agents tab as shown in the Status column of the selected KRA.

    Art ImageFigure 43:  Invalid KRA Certificate on the Recovery Agents Tab

  3. Similarly, a revoked KRA certificate will also show an error on the Recovery Agents tab when Certificate Services is stopped and started. The error will be displayed in the status column of the KRAs certificates listing.

    Art ImageFigure 44:  Revoked KRA Certificate on the Recovery Agents Tab

Loading KRA Certificates

When certificate services starts on a Certification Authority, the CA attempts to load the KRA(s) defined by the CA Administrator. If the CA is unable to load one or more KRA(s), event log messages will be generated; however, certificate services will continue to start. If the CA is unable to load a KRA(s) successfully as defined by a CA Administrator, the CA will deny all requests for key archival and not issue any certificates that have key archival defined in the certificate template. The following event log messages may appear in the Certification Authority’s Application Log when an error occurs in loading KRA certificates. The event log messages indicate that action is required by a CA Administrator to properly configure or reconfigure KRAs.

Event Type:    Error

Event Source:    CertSvc

Event Category:    None

Event ID:    83

Date:        12/20/2000

Time:        8:24:24 AM

User:        N/A

Computer:    SERVER1

Description:

Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. The system cannot find the file specified.
0x80070002 (WIN32: 2)

This is a global error that can be caused by one of several conditions.

  • The Certification Authority cannot open the KRA store on the local machine.

  • The Certification Authority cannot find a corresponding certificate in the KRA store on the local machine that matches the hash of a certificate set in the registry as a KRA.

  • The registry has been edited incorrectly or is corrupted.

  • The count of KRA certificate hashes in the registry equals zero.

  • A certificate hash in the registry corresponds to a certificate in the KRA store that is not a KRA certificate type.

  • The KRA certificates are revoked, expired, or invalid.

Event Type:    Error

Event Source:    CertSvc

Event Category:    None

Event ID:    82

Date:        12/27/2000

Time:        9:05:25 AM

User:        N/A

Computer:    SERVER1

Description:

Certificate Services could not load any valid key recovery certificates. Requests to archive private keys will not be accepted.

This error is usually caused when none of the certificates specified in the user interface (UI) (which corresponds to the registry) is a valid KRA certificate. This event log message is usually accompanied by the previous global event log message.

Event Type:    Error

Event Source:    CertSvc

Event Category:    None

Event ID:    84

Date:        1/24/2003

Time:        08:49:27

User:        N/A

Computer:    SERVER1

Description:

Certificate Services will not use key recovery certificate 6 because it could not be verified for use as a Key Recovery Agent.  CN=User1, OU=Users, DC=nwtraders, DC=com  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)

This error usually occurs when the CA receives an error when retrieving the CRL to check the status of the KRA certificate.

Event Type:    Error

Event Source:    CertSvc

Event Category:    None

Event ID:    98

Date:        1/24/2003

Time:        08:49:28

User:        N/A

Computer:    SERVER1

Description:

Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted.

Event Type:    Error

Event Source:    CertSvc

Event Category:    None

Event ID:    85

Date:        12/27/2000

Time:        9:05:25 AM

User:        N/A

Computer:    SERVER1

Description:

Certificate Services ignored key recovery certificate 0 because it could not be loaded. Cannot find object or property. 0x80092004 (-2146885628)

This error usually occurs when a specific KRA certificate cannot be found in the KRA store on the local machine of the Certification Authority. Specifically, a KRA certificate has been specified in the UI or registry, and the certificate has been deleted or corrupted in the KRA store. This event log message is usually accompanied by a more global event log message.   

KRA Certificate Status

When certificate services starts on a Certification Authority, the CA attempts to load the configured KRA(s). The CA must validate the status of each KRA certificate. If the CA is unable to retrieve a current CRL for each KRA certificate, the CA will not be able to load and use that KRA.

The following event log message will be logged in the application event log of the CA.

Event Type: Error

Event Source: CertSvc

Event Category: None

Event ID: 84

Date:  1/12/2001

Time:  11:47:23 AM

User:  N/A

Computer: SERVER1

Description:

Certificate Services ignored key recovery certificate 1 because it could not be verified for use as a Key Recovery Agent. CN=User1, OU=Users, DC=nwtraders, DC=com The revocation function was unable to check revocation because the revocation server was offline.

0x80092013 (-2146885613)

Importing Exchange KMS Export File

The Windows Server 2003 CA may fail during the importation of the KMS data file if the key size used for the export certificate is greater than 1024 bits in size. The Windows Server 2003 CA may fail with the following message when a key size of greater than 1024 bits is used.

Processing KMS exports from:

    CN=Certification Authority, OU=Test, O=Contoso, C=US

 

KMS export file signature verifies

CertUtil: -ImportKMS command FAILED: 0x80070057 (WIN32: 87)

CertUtil: The parameter is incorrect.

User Enrollment Errors

A user certificate request for a template that requires key archival will be denied if one of the following conditions exists.

  • No KRA has been defined on the CA.

  • No KRA can be successfully loaded. (KRA certificates are revoked, expired, and so on.)

  • The minimum number of KRA certificates defined by the CA Administrator cannot be loaded.

If the user enrolls through a Web page, the following text will display on the Web page.

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

Request Mode

newreq - New Request Disposition

(never set) Disposition message

(none) Result

Cannot archive private key. The certification authority is not configured for key archival. 0x8009400a (-2146877430) COM Error Info

CCertRequest::Submit Cannot archive private key. The certification authority is not configured for key archival. 0x8009400a (-2146877430) LastStatus

Cannot archive private key. The certification authority is not configured for key archival. 0x8009400a (-2146877430) Suggested Cause

No suggestions.

If enrolling through the MMC, the following error will be displayed.

Art Image

Figure 45:  Incorrect Certificate Request Error Message

The CA will also log the following error to the application event log of the CA.

Event Type:    Error

Event Source:    CertSvc

Event Category:    None

Event ID:    21

Date:        1/12/2001

Time:        4:23:39 PM

User:        N/A

Computer:    SERVER1

Description:

Certificate Services could not process request 16094 due to an error: Cannot archive private key. No valid key recovery agent is defined for this certification authority. 0x8009400b (-2146877429). The request was for NWTRADERS\User1.

If the CA is unable to retrieve a current CRL for the CA itself or any of its parent CA(s), it will be unable to issue a certificate when a user submits a request. If the CA does not have a valid CRL for itself, the following error message will be displayed in the application event log of the CA.

Event Type:    Warning

Event Source:    CertSvc

Event Category:    None

Event ID:    53

Date:        1/6/2001

Time:        11:24:05 AM

User:        N/A

Computer:    SERVER1

Description:

Certificate Services denied request 1471 because the revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=user1, OU="Test", O="NWTraders", L=Redmond, S=WA, C=US, E=user1@nwtraders.com. Additional information: Denied by Policy Module

Certificate Template Not Supported by the CA

If a user tries to enroll with a CA for a template that is not supported by that CA, the following event log message will be entered in the CA application event log.

Event Type:    Warning

Event Source:    CertSvc

Event Category:    None

Event ID:    53

Date:        1/16/2001

Time:        2:07:02 PM

User:        N/A

Computer:    SERVER1

Description:

Certificate Services denied request 8 because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392). The request was for NWTRADERS\Administrator. Additional information: Denied by Policy Module The request was for certificate template (1.3.6.1.4.1.311.21.8.4144336743.1329436349.2065260953.3989445610.1.27) that is not supported by the Certificate Services policy.

Client CSP Does Not Permit Key Export

For the client enrollment process to generate and send a private key to the CA, the key must be marked as exportable when the key is generated. If the certificate template is not set to allow key exportable or if the third-party CSP (if applicable) does not support exportable keys, enrollment will fail and the enrollment wizard will return an error that the key is not exportable. Third-party CSPs may report varying errors, such as “catastrophic failure”, when this occurs. If a Windows 2000 or Windows Millennium Edition client performs enrollment with key archival, the following error may appear if the key is not marked for export.

0x80090009 - NTE_BAD_FLAGS

Note

If the CSP supports the one-time flag for key archival, known as (CRYPT_ARCHIVABLE), the key export flag is not required. The Microsoft default software CSPs support this flag. However, Windows 2000 and Windows Millennium Edition clients do not support this flag and must allow the key to be exported for enrollment to work with key archival.

Certification Authority CSP Not Supported for Key Archival Functions

If a software or hardware CSP is not capable of performing the symmetric and public operations for encrypting the private key(s) of users in the CA database, the CA will log an event in the application event log:

Event Type:    Warning

Event Source:    CertSvc

Event Category:    None

Event ID:    86

Date:        12/27/2001

Time:        8:13:54 AM

User:        N/A

Computer:    NORTHWIND5

Description:

Certificate Services could not use the provider specified in the registry for encryption keys. The keyset is not defined. 0x80090019 (-2146893799)

For more information, see the Help and Support Center at https://go.microsoft.com/fwlink/events.asp

Event Type:    Warning

Event Source:    CertSvc

Event Category:    None

Event ID:    88

Date:        12/27/2001

Time:        8:13:54 AM

User:        N/A

Computer:    NORTHWIND5

Description:

Certificate Services switched to the default provider for encryption keys.

For more information, see the Help and Support Center at https://go.microsoft.com/fwlink/events.asp

To verify which CSP the CA is using for encryption operations associated with key archival, run the following command from the CA.

Certutil –getreg ca\EncryptionCSP\Provider

Certificate and Key Import Issues

If the CA has not been configured for key archival or if the CA has not been configured for foreign key import, the following error will occur when attempting to import a KMS export file or a foreign key import. Note that the keys were not archived in the following message.

Processing KMS exports from: 
    O=microsoft, C=US 
KMS export file signature verifies 
Lock box opened, symmetric key successfully decrypted 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
CertUtil: Invalid Signature. 
 
 
Users: 6 
 
Ignored signature certificates: 25 
Certificates with keys: 17 
Certificates not imported: 17 
 
Keys: 17 
Keys not archived: 17 
CertUtil: -ImportKMS command completed successfully.

Troubleshooting Key Recovery Issues

Unable to Recover User

If a CA performing key archival is also enabled for role separation with specific Certificate Manager restrictions, a Certificate Manager may not be able to recover a user certificate until the machine account of the CA has been added to the Pre W2K Compatible Access Group of the domain in which the recover user belongs. This is a necessary requirement for the CA to enumerate the group memberships of Certificate Managers and recovered users to ensure that proper restrictions are enforced.

Missing KRA Certificate in the CA Registry

If one of the recipient KRA certificates from the HKEY_LOCAL_MACHINE KRA certificate store on the Certification Authority is deleted, key recovery tools, such as certutil –getkey, will fail because the server cannot find the KRA certificate to include in the recovery BLOB. The following error message will be displayed when this error occurs.

certutil -getkey "1b 4a b7 1e 00 00 00 00 00 1d" 
Querying server1.nwtraders.com\CA1............ 
 
"server1.nwtraders.com\CA1" 
   1b4ab71e00000000001d  CN="Users 
 
Administrator" 
CertUtil: -GetKey command FAILED: 0x80092004 (-2146885628) 
CertUtil: Cannot find object or property

Note that the KRA certificate must be available in the registry on the CA, not the machine where the recovery tool(s) are used.