none
Microsoft Certificate Authority Sevices (CertEnroll) fails with our Smartcard CSP RRS feed

  • Question

  • Hi!
    We are writing our own CSP. We are using Microsoft Active Directory Certificate Services and tries to enroll for a certificate.
    But we cant make it to work. It has worked for some years ago but now there must have been upgrades in the Microsoft Active Directory Certificate Service or the CertEnrollCtrl which makes it fail.
    The CA is on a WIN2008 R2 and our client where the CertEnrollCtrl lies goes on windows 7 .
    In the ca gui we click the folowing links Request a certificate/advanced certificate request/Create and submit a request to this CA.
    We chose smartcard logon as Certificate Template: and then we chose our own CSP under Key options and then we click submit. 
    Here is the log. (All null signs in the returned data  is converted to underscore in the log)
        
         CSP 110329 160521  8 CPAcquireContext: pszContainer:NULL, flags: 0xF0000000  
         CSP 110329 160521  8 Key container K5VGSAAJhKQN0mpuls1wuQ== has certId 0 and keyId 2
         CSP 110329 160521  8 CPGetProvparam: PP_VERSION
         CSP 110329 160521  8 Returning: 769
         CSP 110329 160521  8 CPGetProvparam: PP_IMPTYPE
         CSP 110329 160521  8 Returning: 3
         CSP 110329 160521  8 CPGetProvparam: PP_KEYSPEC
         CSP 110329 160521  8 Function not implemented by Fox. Calling Microsoft function
         CSP 110329 160521  8 Returning: 3
         CSP 110329 160521  8 CPGetProvparam: PP_USE_HARDWARE_RNG
         CSP 110329 160521  8 Function not implemented by Fox. Calling Microsoft function directly
         CSP 110329 160521  8 cContext::CryptGetProvParam returns false. GetLastError = 0x8009000a
         CSP 110329 160521  8 Function CPGetProvparam  FAILED. GetlastError = 0x8009000a Invalid type specified.
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMCONTAINERS  (The data parameter is null in this call so we can't fill it we just set the length)
         CSP 110329 160521  8 Returning NULL
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: f__€___(___€_______ ___RC2_________________ ___RSA Data Security's RC2_________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: h__€___(___€_______ ___RC4_________________ ___RSA Data Security's RC4_________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: f__8___8___8_______ ___DES_________________ ___Data Encryption Standard (DES)__________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: f__p___p___p__________3DES TWO KEY________ ___Two Key Triple DES______________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: f__¨___¨___¨_______ ___3DES________________ ___Three Key Triple DES____________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: €__ ___ ___ ___ ___ ___SHA-1_______________ ___Secure Hash Algorithm (SHA-1)___________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: €__€___€___€___ ___ ___MD2_________________ ___Message Digest 2 (MD2)__________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: €__€___€___€___ ___ ___MD4_________________ ___Message Digest 4 (MD4)__________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: €__€___€___€___ ___ ___MD5_________________ ___Message Digest 5 (MD5)__________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: €__ __ __ ______ ___SSL3 SHAMD5_________ ___SSL3 SHAMD5_____________________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: €__________________ ___MAC_________________ ___Message Authentication Code_____________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: _$___ ___ ___ __0___ ___RSA_SIGN____________ ___RSA Signature___________________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: _¤___ ___ ___ __0___ ___RSA_KEYX____________ ___RSA Key Exchange________________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 Returning: €__________________ ___HMAC________________ ___Hugo's MAC (HMAC)_______________________
         CSP 110329 160521  8 CPGetProvparam: PP_ENUMALGS_EX
         CSP 110329 160521  8 FAILED: No more data is available.
         CSP 110329 160521  8 Function CPGetProvparam  FAILED. GetlastError = 0x103 No more data is available.
         CSP 110329 160521  8 CPReleaseContext
         CSP 110329 160521  8 CPAcquireContext: pszContainer:le-22996da3-3d1a-48bf-8c7b-33c675ff9390, flags:0x8
         CSP 110329 160521  8 Failed to find a key param with the context le-22996da3-3d1a-48bf-8c7b-33c675ff9390 in the PSD
         CSP 110329 160521  8 CPGenKey
         CSP 110329 160522  8 CPGetKeyParam: KP_KEYLEN
         CSP 110329 160522  8 Returning: 1024
         CSP 110329 160522  8 CPGetKeyParam: KP_PERMISSIONS
         CSP 110329 160522  8 Returning: 35
         CSP 110329 160522  8 CPGetProvparam: PP_KEYSTORAGE
         CSP 110329 160522  8 Function CPGetProvparam  FAILED. GetlastError = 0x8009000a Invalid type specified. (As we don't have any security descriptor we return this error code
         CSP 110329 160522  8 CPGetProvparam: PP_CONTAINER
         CSP 110329 160522  8 Returning NULL
         CSP 110329 160522  8 CPGetProvparam: PP_CONTAINER
         CSP 110329 160522  8 Returning: le-22996da3-3d1a-48bf-8c7b-33c675ff9390_
         CSP 110329 160522  8 CPGetProvparam: PP_UNIQUE_CONTAINER
         CSP 110329 160522  8 Returning NULL
         CSP 110329 160522  8 CPGetProvparam: PP_UNIQUE_CONTAINER
         CSP 110329 160522  8 Returning: le-22996da3-3d1a-48bf-8c7b-33c675ff9390_
         CSP 110329 160522  8 CPAcquireContext: pszContainer:NULL, flags: 0xF0000040
         CSP 110329 160522  8 Key container K5VGSAAJhKQN0mpuls1wuQ== has certId 0 and keyId 2
         CSP 110329 160522  8 CPGetProvparam: PP_CONTAINER
         CSP 110329 160522  8 Returning NULL
         CSP 110329 160522  8 CPGetProvparam: PP_CONTAINER
         CSP 110329 160522  8 Returning: K5VGSAAJhKQN0mpuls1wuQ==_
         CSP 110329 160522  8 CPReleaseContext
         CSP 110329 160522  8 CPGetProvparam: PP_KEYSET_SEC_DESCR (we have no PP_KEYSET_SEC_DESCR returning 0x8009000a)
         CSP 110329 160522  8 Function CPGetProvparam  FAILED. GetlastError = 8009000a Invalid type specified.
         CSP 110329 160522  8 CPGetKeyParam: KP_CERTIFICATE (we dont have a cerificate yet returning zero length)
         CSP 110329 160522  8 CPGetKeyParam: KP_CERTIFICATE (Dont know what to return here as we don\t have a certificate have tried a number of different return codes in this example I return an empty string with zero length. 
         CSP 110329 160522  8 Returning: 
         CSP 110329 160522  8 CPDestroyKey
         CSP 110329 160522  8 CPReleaseContext
         CSP 110329 160522  8 CPAcquireContext: pszContainer:le-22996da3-3d1a-48bf-8c7b-33c675ff9390, flags:0x10
    end log
     In the Microsoft Active Directory Certificate Services  GUI we se the following error message:
    An error occurred while creating the certificate request. Please verify that your CSP supports any settings you have made and that your input is valid.  
    Suggested cause:
    No suggestion. 
    Error: 0x80093102 - (unknown) " 
    This error is understandable as we have sent an empty string as a certificate.
    The problem is why it asks for PP_KEYSET_SEC_DESCR and KP_CERTIFICATE  when we don't have any of those parameters.
    What we try to to do is to create a certificate so obviously we can't return it.
    The question is can we return somthing else on any of these calls to make the CA go another way or should we return something else on the  PP_KEYSET_SEC_DESCR and KP_CERTIFICATE questions.
    Do you have any ideas.
    Regards Alf
    Wednesday, March 30, 2011 7:32 AM

All replies

  • Hi Alf, have you got the answer? I have got the same problem.If you have any idea plz tell me, thx.
    • Proposed as answer by fmduan Saturday, February 4, 2017 2:43 AM
    • Unproposed as answer by fmduan Saturday, February 4, 2017 2:59 AM
    Wednesday, June 6, 2012 7:33 AM
  • It might help to collect certenroll logs. Can you do the following:

    certutil –setreg enroll\debug 0xffffffe3
    restart the process

    Supply the log file in %windir%\certenroll.log and/or %userprofile%\certenroll.log
    certutil -delreg enroll\debug

    The certenroll log file should indicate where it is failing.

    Andrew

    • Proposed as answer by fmduan Saturday, February 4, 2017 3:00 AM
    • Unproposed as answer by fmduan Saturday, February 4, 2017 3:00 AM
    Wednesday, June 6, 2012 5:09 PM
  • Thanks Andrew.But it seems nothing useful.

    Here is the log.

    certenroll.log

    ========================================================================
    402.511.948: Begin: 2012/6/7 11:45 44.285s
    402.516.0: CertEnrollCtrl.exe
    402.520.0: GMT + 8.00
    2005.208.0: certcli.dll: 6.1:7601.17514 retail
    2005.208.0: certenroll.dll: 6.1:7601.17514 retail
    402.377.949: End: 2012/6/7 13:24 44.488s

    CertEnrollCtrl.log
    ========================================================================
    402.511.948: Begin: 2012/6/7 11:45 44.291s
    402.516.0: CertEnrollCtrl.exe
    402.520.0: GMT + 8.00
    3201.26.0: certcli.dll: 6.1:7601.17514 retail
    3201.26.0: CertEnrollCtrl.exe: 6.1:7600.16385 retail
    2007.195.0:<2012/6/7, 11:45:47>: 0x80091002 (-2146889726): 3DES_112
    2007.195.0:<2012/6/7, 11:45:47>: 0x80091002 (-2146889726): DESX
    2007.195.0:<2012/6/7, 11:45:47>: 0x80091002 (-2146889726): AES-GMAC
    2007.195.0:<2012/6/7, 11:45:49>: 0x80091002 (-2146889726): 3DES_112
    2007.195.0:<2012/6/7, 11:45:49>: 0x80091002 (-2146889726): DESX
    2007.195.0:<2012/6/7, 11:45:49>: 0x80091002 (-2146889726): AES-GMAC
    2007.195.0:<2012/6/7, 11:46:13>: 0x80091002 (-2146889726): 3DES_112
    2007.195.0:<2012/6/7, 11:46:13>: 0x80091002 (-2146889726): DESX
    2007.195.0:<2012/6/7, 11:46:13>: 0x80091002 (-2146889726): AES-GMAC
    2007.195.0:<2012/6/7, 11:46:33>: 0x80091002 (-2146889726): 3DES_112
    2007.195.0:<2012/6/7, 11:46:33>: 0x80091002 (-2146889726): DESX
    2007.195.0:<2012/6/7, 11:46:33>: 0x80091002 (-2146889726): AES-GMAC
    2014.1892.0:<2012/6/7, 11:46:33>: 0x80094004 (-2146877436)
    2011.121.0:<2012/6/7, 11:46:33>: 0x80094004 (-2146877436)
    2014.4740.0:<2012/6/7, 11:46:33>: 0x80094004 (-2146877436)
    2014.3720.0:<2012/6/7, 11:46:33>: 0x80094004 (-2146877436)
    2027.475.0:<2012/6/7, 11:46:33>: 0x80094004 (-2146877436)
    2009.1152.0:<2012/6/7, 11:46:33>: 0x80094004 (-2146877436)
    2009.4353.0:<2012/6/7, 11:46:33>: 0x800700aa (WIN32/HTTP: 170)
    2009.1774.0:<2012/6/7, 11:46:33>: 0x800700aa (WIN32/HTTP: 170)
    2040.1255.0:<2012/6/7, 11:46:33>: 0x800700aa (WIN32/HTTP: 170)
    2009.2640.0:<2012/6/7, 11:46:33>: 0x1 (WIN32: 1): KingTrust USBKey Cryptographic Provider v1.0
    2009.2641.0:<2012/6/7, 11:46:33>: 0xa (WIN32: 10): le-f07d9741-d550-4172-bbd2-09ae143161a4
    419.207.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2009.3894.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2009.3078.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2009.3114.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2009.1282.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2040.1336.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2040.1369.0:<2012/6/7, 11:46:38>: 0x0 (WIN32: 0)
    2040.1971.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2014.3031.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2014.1704.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2014.1327.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2027.3209.0:<2012/6/7, 11:46:38>: 0x80004001 (-2147467263)
    2036.86.0:<2012/6/7, 11:46:38>: 0x80020009 (-2147352567): CX509Enrollment
    2036.87.0:<2012/6/7, 11:46:38>: 0x80020009 (-2147352567): 0x60020003(1610743811)
    2036.563.0:<2012/6/7, 11:46:38>: 0x80020009 (-2147352567): CX509Enrollment::get_CreateRequest
    2036.567.0:<2012/6/7, 11:46:38>: 0x80020009 (-2147352567): CX509Enrollment::get_CreateRequest
    2036.573.0:<2012/6/7, 11:46:38>: 0x80020009 (-2147352567): CX509Enrollment::get_CreateRequest
    402.377.949: End: 2012/6/7 13:24 44.425s

    csp-log.txt(This is part of my CSP's log)

    ========================================================================

         CSP(77): CPAcquireContext, dwFlags: f0000000
        CONT(78): CPAcquireContext - Kingtrust Container, dwFlags: f0000000
         CSP(80): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_VERSION,  dwFlags:0
         CSP(81): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_IMPTYPE,  dwFlags:0
         CSP(82): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_KEYSPEC,  dwFlags:0
         CSP(83): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_USE_HARDWARE_RNG,  dwFlags:0
       ERROR(84): CSP11_EXCEPT: 0x8009000a, line:929, Files: ..\..\..\..\..\src\ktcsp11\csp\Context.cpp
         CSP(85): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMCONTAINERS,  dwFlags:1
         CSP(86): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:1
         CSP(87): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:0
         CSP(88): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:0
         CSP(89): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:0
         CSP(90): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:0
         CSP(91): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:0
         CSP(92): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:0
         CSP(93): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:0
         CSP(94): CPGetProvParam, HCRYPTPROV:f54288,  dwParam:PP_ENUMALGS_EX,  dwFlags:0
       ERROR(95): CSP11_EXCEPT: 0x103, line:812, Files: ..\..\..\..\..\src\ktcsp11\csp\Context.cpp
        CONT(96): CPReleaseContext - Kingtrust Container
         CSP(97): CPReleaseContext -- OK
         CSP(98): CPAcquireContext, dwFlags: 00000008
        CONT(99): CPAcquireContext - le-2980fbc4-1cfe-4211-9b68-12c794f6f8e0, dwFlags: 8
        CONT(102): CPAcquireContext - le-2980fbc4-1cfe-4211-9b68-12c794f6f8e0, OK
         KEY(103): CPGenKey, Algid:1 , dwFlag:4000002
         KEY(110): CPGenKey, return: True
         CSP(111): CPGetKeyParam, HCRYPTKEY:f58eb0,  dwParam:KP_KEYLEN, dwFlag:0
         CSP(113): CPGetKeyParam, HCRYPTKEY:f58eb0,  dwParam:KP_PERMISSIONS, dwFlag:0
         CSP(115): CPGetProvParam, HCRYPTPROV:f58d80,  dwParam:PP_KEYSTORAGE,  dwFlags:0
       ERROR(116): CSP11_EXCEPT: 0x8009000a, line:929, Files: ..\..\..\..\..\src\ktcsp11\csp\Context.cpp
         CSP(117): CPGetProvParam, HCRYPTPROV:f58d80,  dwParam:PP_CONTAINER,  dwFlags:0
         CSP(118): CPGetProvParam, HCRYPTPROV:f58d80,  dwParam:PP_CONTAINER,  dwFlags:0
         CSP(119): CPGetProvParam, HCRYPTPROV:f58d80,  dwParam:PP_UNIQUE_CONTAINER,  dwFlags:0
         CSP(120): CPGetProvParam, HCRYPTPROV:f58d80,  dwParam:PP_UNIQUE_CONTAINER,  dwFlags:0
         CSP(121): CPGetProvParam, HCRYPTPROV:f58d80,  dwParam:PP_KEYSET_SEC_DESCR,  dwFlags:4
       ERROR(122): CSP11_EXCEPT: 0x80004001, line:923, Files: ..\..\..\..\..\src\ktcsp11\csp\Context.cpp
         CSP(123): CPDestroyKey, hKey: 00f58eb0
        CONT(128): CPReleaseContext - le-2980fbc4-1cfe-4211-9b68-12c794f6f8e0
         CSP(129): CPReleaseContext -- OK
         CSP(130): CPAcquireContext, dwFlags: 00000010
        CONT(131): CPAcquireContext - le-2980fbc4-1cfe-4211-9b68-12c794f6f8e0, dwFlags: 10

    and the error code on the web page is 0x80004001.Can you give me any advice? THX



    Thursday, June 7, 2012 5:54 AM
  • I would recommend that instead of returning E_NOTIMPL when asked for a security descriptor that your CSP return NTE_NOT_SUPPORTED.

    I think that will get you past this issue.

    Andrew

    • Proposed as answer by Andrew Bernat Friday, June 8, 2012 5:33 PM
    Friday, June 8, 2012 2:39 AM
  • Thanks Andrew.I try what you said and past this issue.
    Friday, June 8, 2012 9:38 AM