Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0x80090029) During CA Installation/Configuration

Posted by Jorge on 2013-08-24

I was rebuilding my test environment with new W2K12 installations while keeping my AD domains. I had two AD forests, one called ADCORP.LAB and one called ADDMZ.LAN. ADCORP.LAB had ADCS installed on one of the RWDCs (remember, this is a TEST environment!). ADDMZ.LAN did not have ADCS installed at all. To be able to use certificates on both sides and also play with cross-certification I decided to also install ADCS on one of the RWDCs in ADDMZ.LAN.

Below you will find the “CAPOLICY.INF” file to be placed in the “C:\Windows” folder just before the start of the ADCS installation/configuration.


Figure 1: The “CAPOLICY.INF” File Used

After placing the “CAPOLICY.INF” file, I used Server Manager to install the Server Role “Active Directory Certificate Services” with the corresponding “Certificate Authority” and the “Online Responder” role services.

After the installation of the binaries, during the post-install configuration I specified the following.


Figure 2: The Credentials To Be Used During Post-Installation


Figure 3: The Role Service To Be Configured


Figure 4: The CA Setup Type To Configure – Enterprise CA


Figure 5: The CA Type To Configure – Root CA


Figure 6: Using A New Private Key (New Installation)


Figure 7: The CSP, The Key Length And The Has Algorithm Used


Figure 8: The CA Common Name, The DN Suffix And The Full DN


Figure 9: The Validity Of The CA Certificate


Figure 10: The CA Database And Log Locations


Figure 11: The Summary Of All Configurations


Figure 12: The Result Of The Configuration – Error!

Now we need to figure out WHY it results in this error. The state of ADCS at this point in time is very crappy. It may seem it is installed, but you will not be able to start the ADCS service, it will fail if you try! You could say it is half installed. The only option now is to use Server Manager (or PowerShell if you like that) again and uninstall the “Certificate Authority” role service. If you try the installation/configuration again, it will fail over and over again!

When ADCS is installed/configured a log is kept with all the action. The log is called “CERTOCM.LOG” and is located in the “C:\Windows” folder

When going through that log you will find all kinds of information, but somewhere at the end you will the yellow marked information or similar.


Figure 13: The ADCS Installation/Configuration Log

While Key Counting was enabled as shown in the log (and specified in the CAPOLICY.INF file and therefore used by the configuration), it complained the chosen CSP “Microsoft Software Key Storage Provider” did not support that. Look at the yellow marked text. Also have a look at figure 1 regarding “EnableKeyCounting” where I have configured it to be enabled. This was a mistake of mine!

If you look at the following blog post near the end somewhere, you will see the following:

<QUOTE>EnableKeyCounting configures the CA to increment a counter every time the CA’s signing key is used. Do not enable this setting unless you have a Hardware Security Module (HSM) and associated cryptographic service provider (CSP) that supports key counting. Neither the Microsoft Strong CSP nor the Microsoft Software Key Storage Provider (KSP) support key counting</QUOTE>

After changing the “CAPOLICY.INF” and configure it as shown below (the focus here is the yellow marked text and not the other values!!!) you can (re)start the installation/configuration. Before the installation/configuration you must uninstall the broken “Certificate Authority” role service installation.


Figure 14: The Changed “CAPOLICY.INF” File Used

After the change the installation/configuration succeeded! Yeah! Smile


Figure 15: The Result Of The Configuration – Success!

For more information about designing and implementing a PKI infrastructure see the following blog series: Designing And Implementing A PKI (Series)

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########

One Response to “(2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0x80090029) During CA Installation/Configuration”

  1. […] mentioned in the previous post, (2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0×80090029) Durin…, I was rebuilding my test environment. In addition to installing and configuring a certificate […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: