(2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0x80090029) During CA Installation/Configuration
Posted by Jorge on 2013-08-24
I was rebuilding my test environment with new W2K12 installations while keeping my AD domains. I had two AD forests, one called ADCORP.LAB and one called ADDMZ.LAN. ADCORP.LAB had ADCS installed on one of the RWDCs (remember, this is a TEST environment!). ADDMZ.LAN did not have ADCS installed at all. To be able to use certificates on both sides and also play with cross-certification I decided to also install ADCS on one of the RWDCs in ADDMZ.LAN.
–
Below you will find the “CAPOLICY.INF” file to be placed in the “C:\Windows” folder just before the start of the ADCS installation/configuration.
Figure 1: The “CAPOLICY.INF” File Used
–
After placing the “CAPOLICY.INF” file, I used Server Manager to install the Server Role “Active Directory Certificate Services” with the corresponding “Certificate Authority” and the “Online Responder” role services.
After the installation of the binaries, during the post-install configuration I specified the following.
Figure 2: The Credentials To Be Used During Post-Installation
–
Figure 3: The Role Service To Be Configured
–
Figure 4: The CA Setup Type To Configure – Enterprise CA
–
Figure 5: The CA Type To Configure – Root CA
–
Figure 6: Using A New Private Key (New Installation)
–
Figure 7: The CSP, The Key Length And The Has Algorithm Used
–
Figure 8: The CA Common Name, The DN Suffix And The Full DN
–
Figure 9: The Validity Of The CA Certificate
–
Figure 10: The CA Database And Log Locations
–
Figure 11: The Summary Of All Configurations
–
Figure 12: The Result Of The Configuration – Error!
–
Now we need to figure out WHY it results in this error. The state of ADCS at this point in time is very crappy. It may seem it is installed, but you will not be able to start the ADCS service, it will fail if you try! You could say it is half installed. The only option now is to use Server Manager (or PowerShell if you like that) again and uninstall the “Certificate Authority” role service. If you try the installation/configuration again, it will fail over and over again!
–
When ADCS is installed/configured a log is kept with all the action. The log is called “CERTOCM.LOG” and is located in the “C:\Windows” folder
When going through that log you will find all kinds of information, but somewhere at the end you will the yellow marked information or similar.
Figure 13: The ADCS Installation/Configuration Log
–
While Key Counting was enabled as shown in the log (and specified in the CAPOLICY.INF file and therefore used by the configuration), it complained the chosen CSP “Microsoft Software Key Storage Provider” did not support that. Look at the yellow marked text. Also have a look at figure 1 regarding “EnableKeyCounting” where I have configured it to be enabled. This was a mistake of mine!
–
If you look at the following blog post near the end somewhere, you will see the following:
<QUOTE>EnableKeyCounting configures the CA to increment a counter every time the CA’s signing key is used. Do not enable this setting unless you have a Hardware Security Module (HSM) and associated cryptographic service provider (CSP) that supports key counting. Neither the Microsoft Strong CSP nor the Microsoft Software Key Storage Provider (KSP) support key counting</QUOTE>
–
After changing the “CAPOLICY.INF” and configure it as shown below (the focus here is the yellow marked text and not the other values!!!) you can (re)start the installation/configuration. Before the installation/configuration you must uninstall the broken “Certificate Authority” role service installation.
Figure 14: The Changed “CAPOLICY.INF” File Used
–
After the change the installation/configuration succeeded! Yeah!
Figure 15: The Result Of The Configuration – Success!
–
For more information about designing and implementing a PKI infrastructure see the following blog series: Designing And Implementing A PKI (Series)
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Incorrect CSP Prevents Enrollment Of OCSP Response Signing Certificates « Jorge's Quest For Knowledge! said
[…] mentioned in the previous post, (2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0×80090029) Durin…, I was rebuilding my test environment. In addition to installing and configuring a certificate […]
LikeLike