Enable debug level for the AD CS Certification Authority

The error messages an AD CS Certification Authority displays are often not very useful. Errors, for instance, when trying to start the Certificate Services are sometimes generic and make troubleshooting difficult.

One option to get additional information regarding the problem is to set the CA to debug level. This can be achieved running the following command:

certutil -setreg ca\debug 0xffffffe3

When restarted, a debug log file is written to %windir%\certsrv.log , with its content being something like:

========================================================================
Opened Log: 21.11.2023 00:23 38.237s
GMT + 1,00
certca.dll: 6.3:9600.17415 retail
certsrv.exe: 6.3:9600.21062 retail
503.1945.0:<2023/11/21, 0:23:38>: 0x0 (WIN32: 0)
508.1341.0:<2023/11/21, 0:23:38>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND): DBMaxReadSessionCount
513.17174.0:<2023/11/21, 0:23:38>: 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND): CAExchange
508.1734.0:<2023/11/21, 0:23:38>: 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
437.625.0:<2023/11/21, 0:23:38>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): EnabledEKUForDefinedCACert
429.2691.0:<2023/11/21, 0:23:38>: 0x32 (WIN32: 50 ERROR_NOT_SUPPORTED): 00000005: SecErr: DSID-03152DB2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
805.1279.0:<2023/11/21, 0:23:38>: 0x32 (WIN32: 50 ERROR_NOT_SUPPORTED)
409.688.0:<2023/11/21, 0:23:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
409.339.0:<2023/11/21, 0:23:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
508.2025.0:<2023/11/21, 0:23:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
437.625.0:<2023/11/21, 0:23:38>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): OfficerRights
437.625.0:<2023/11/21, 0:23:38>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): EnrollmentAgentRights
437.625.0:<2023/11/21, 0:23:38>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): RoleSeparationEnabled
CertSrv: Opening Database E:\CertLog\Denetarik Root CA.edb
CertSrv: Database open
420.385.0:<2023/11/21, 0:39:4>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
419.6336.0:<2023/11/21, 0:39:4>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.2132.0:<2023/11/21, 0:39:4>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
452.627.0:<2023/11/21, 0:39:4>: 0xc0000225 (NT: 0xc0000225 STATUS_NOT_FOUND): nCipher Security World Key Storage Provider
513.753.0:<2023/11/21, 0:39:4>: 0xc0000225 (NT: 0xc0000225 STATUS_NOT_FOUND) 

Not to say the output is easy to follow, but troubleshooting can always do with a bit more information.

Once the relevant information has been collected on the debug file, the flag can be disabled running:

certutil -delreg ca\debug

Comments

Post a Comment

Popular posts from this blog

Decoding OCSP GET requests

Many clients default to OCSP requests via HTTP GET, encoding the request details as part of the URL. These kind of requests can be found in the logs: http://ocsp.ekaitza.net/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK%2BGVqszOaLAawQUb38ZjesMwNeYLEzdGvP%2FZi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho%3D As per RFC 6960 , the request is constructed as: GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest} So in order to find out the details of the request we have to: 1. Remove the URL encoding This can be done with different tools, depending on the OS/platform being used.Given the input above: MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK%2BGVqszOaLAawQUb38ZjesMwNeYLEzdGvP%2FZi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho%3D the output would be: MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK+GVqszOaLAawQUb38ZjesMwNeYLEzdGvP/Zi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho= We can then create a text file with it, e.g.:  $ echo "MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK+GVqsz
Read more

Compacting an AD CS database

Given the healthy trend towards decreasing certificate validity periods, it is very likely that the size of an AD CS Certification Authority database will grow following that same trend. Despite regular maintenance activities including deletion of records such as failed, denied etc. it could be that at some point the CA database reaches a problematic size. Deleting records from an AD CS CA database will internally free up the space previously occupied by those records but will not decrease the size of the database file itself. I.e. new records will reuse the freed up space but the total space used by the database file will not decrease. This helps keeping the database size under control but does not help if the size had already increased over acceptable limits; in this case the database must be compacted. The CA is often a critical resource, so it is recommended to keep various backups of different nature, to try to make sure we can recover it in case something goes wrong. Here a
Read more

Signing a CSR with an Enrollment Agent certificate

Image
Often certificate templates in AD CS are configured to require a set of authorised signatures for issuance: This is useful e.g. when issuance approval is delegated to a component outside of AD CS roles, such as some CA management or registration authority portal software. Combined with the template security settings this can prevent requests from being raised directly from the CA without going through a custom standard request process, and depending on the level of security required, multiple signatures can be enforced and optionally also additional CA certificate manager approval. In order to produce each of this signatures an "Enrollment Agent" certificate is used, a certificate with the "Certificate Request Agent (1.3.6.1.4.1.311.20.2.1)"  Enhanced Key Usage. Sometimes it is required to raise requests directly towards the CA, e.g. using the RPC/DCOM interface from the command line, but it is not desirable and/or possible to change the template configuration, so t
Read more