2

I need to develop operational procedures to audit and understand why a specific request was rejected by an Active Directory Certificate Services (ADCS) Policy Module.

I've attempted turning on all logging (checkboxes) in the GUI, and checked the Eventlog. I only see one event log entry per failed request, however I don't have a clear way of determining what caused it to fail. An example of a failure is below:

Active Directory Certificate Services denied request 4 because The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE). The request was for CN=Issue01a, CN=Bits.com, OU=For email security, O=Bits LLC, C=US. Additional information: Denied by Policy Module

The above example is a sub-ca that intentionally had a validity period that would extend beyond the validity of the parent CA.

I'm hoping to derive that reason from the error code above, or some other location.

What I've done: Searching for the error "2146877435" in google, results in this very post being pulled up. None of the results on the first few pages are a list of error codes and reasons.

makerofthings7
  • 8,911
  • 34
  • 121
  • 197

2 Answers2

1

This link describes how to extract more logging from the certificate service. A restart may be required.

To enable debug logging for the native Windows CertEnroll client, execute the following command:

Certutil –setreg enroll\debug 0xffffffe3 The log file is in the following location: %windir%\CertEnroll.log

certutil –setreg ca\debug 0xffffffe3 The log file is in the following location: %windir%\certsrv.log

makerofthings7
  • 8,911
  • 34
  • 121
  • 197
  • 1
    FWIW, another possible cause of that error code is the policy being incompatible with the attempted action: specifically trying to sign a new CA with a CA whose pathlen is 0 (so there's nothing "invalid" about the CA data, it's merely an inappropriate action). The debug flag works, sadly it simply prints that error out more times instead of explaining the problem... – mr.spuratic Mar 14 '17 at 20:06
0

mr.spuratic commented:

FWIW, another possible cause of that error code is the policy being incompatible with the attempted action: specifically trying to sign a new CA with a CA whose pathlen is 0 (so there's nothing "invalid" about the CA data, it's merely an inappropriate action).

As this was exactly my problem, I want to preserve this comment in an answer and elaborate it a little more:

Before setting up the root CA, you have to allow sub CAs in the file C:\Windows\CAPolicy.inf in the following section:

[BasicConstraintsExtension]
PathLength=0

If PathLength is set to 0, no sub CAs are allowed. If set to 1, you can have sub CAs. If set to 2, you can have sub CAs that can have sub CAs and so on. If it is not defined or set to none, you can have infinite levels of sub CAs. You cannot alter this value after you already installed your root CA.

stackprotector
  • 596
  • 1
  • 8
  • 27