Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0x80090029) During CA Installation/Configuration

Posted by Jorge on 2013-08-24


I was rebuilding my test environment with new W2K12 installations while keeping my AD domains. I had two AD forests, one called ADCORP.LAB and one called ADDMZ.LAN. ADCORP.LAB had ADCS installed on one of the RWDCs (remember, this is a TEST environment!). ADDMZ.LAN did not have ADCS installed at all. To be able to use certificates on both sides and also play with cross-certification I decided to also install ADCS on one of the RWDCs in ADDMZ.LAN.

Below you will find the “CAPOLICY.INF” file to be placed in the “C:\Windows” folder just before the start of the ADCS installation/configuration.

image

Figure 1: The “CAPOLICY.INF” File Used

After placing the “CAPOLICY.INF” file, I used Server Manager to install the Server Role “Active Directory Certificate Services” with the corresponding “Certificate Authority” and the “Online Responder” role services.

After the installation of the binaries, during the post-install configuration I specified the following.

image

Figure 2: The Credentials To Be Used During Post-Installation

image

Figure 3: The Role Service To Be Configured

image

Figure 4: The CA Setup Type To Configure – Enterprise CA

image

Figure 5: The CA Type To Configure – Root CA

image

Figure 6: Using A New Private Key (New Installation)

image

Figure 7: The CSP, The Key Length And The Has Algorithm Used

image

Figure 8: The CA Common Name, The DN Suffix And The Full DN

image

Figure 9: The Validity Of The CA Certificate

image

Figure 10: The CA Database And Log Locations

image

Figure 11: The Summary Of All Configurations

image

Figure 12: The Result Of The Configuration – Error!

Now we need to figure out WHY it results in this error. The state of ADCS at this point in time is very crappy. It may seem it is installed, but you will not be able to start the ADCS service, it will fail if you try! You could say it is half installed. The only option now is to use Server Manager (or PowerShell if you like that) again and uninstall the “Certificate Authority” role service. If you try the installation/configuration again, it will fail over and over again!

When ADCS is installed/configured a log is kept with all the action. The log is called “CERTOCM.LOG” and is located in the “C:\Windows” folder

When going through that log you will find all kinds of information, but somewhere at the end you will the yellow marked information or similar.

image

Figure 13: The ADCS Installation/Configuration Log

While Key Counting was enabled as shown in the log (and specified in the CAPOLICY.INF file and therefore used by the configuration), it complained the chosen CSP “Microsoft Software Key Storage Provider” did not support that. Look at the yellow marked text. Also have a look at figure 1 regarding “EnableKeyCounting” where I have configured it to be enabled. This was a mistake of mine!

If you look at the following blog post near the end somewhere, you will see the following:

<QUOTE>EnableKeyCounting configures the CA to increment a counter every time the CA’s signing key is used. Do not enable this setting unless you have a Hardware Security Module (HSM) and associated cryptographic service provider (CSP) that supports key counting. Neither the Microsoft Strong CSP nor the Microsoft Software Key Storage Provider (KSP) support key counting</QUOTE>

After changing the “CAPOLICY.INF” and configure it as shown below (the focus here is the yellow marked text and not the other values!!!) you can (re)start the installation/configuration. Before the installation/configuration you must uninstall the broken “Certificate Authority” role service installation.

image

Figure 14: The Changed “CAPOLICY.INF” File Used

After the change the installation/configuration succeeded! Yeah! Smile

image

Figure 15: The Result Of The Configuration – Success!

For more information about designing and implementing a PKI infrastructure see the following blog series: Designing And Implementing A PKI (Series)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

This entry was posted on 2013-08-24 at 01:21 and is filed under Active Directory Certificate Services (ADCS), CAPOLICY.INF. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “(2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0x80090029) During CA Installation/Configuration”

  1. Incorrect CSP Prevents Enrollment Of OCSP Response Signing Certificates « Jorge's Quest For Knowledge! said

    2013-09-04 at 07:28

    […] mentioned in the previous post, (2013-08-24) Enabling Key Counting With A CSP Not Supporting It Results In Error (0×80090029) Durin…, I was rebuilding my test environment. In addition to installing and configuring a certificate […]

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»