This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
It all started when I found an error on the certificate I was trying to import for SQL Server Reporting Services.
On the general tab the error is "A system-level error occurred while verifying trust.".
On the Certification Path tab, the root certificate is not shown in the chain like it should. There is an error at the bottom: "This certificate has an invalid digital signature".
All certificates issued from AD CS have these same errors when viewing them in the console on nearly all domain computers. Machines running an older OS, such as Vista and Windows 7, do not show any errors.
I imported one of the certificates along with the root certificate on to a non-domain joined PC (Windows 10 Home). There were no errors.
It seems I could safely ignore the errors as all applications continue to work.
I also found that the signing certificate for the Online Responder service went bad as it did not automatically renew. I had to enable a setting on the CA that allows renewal for requests which include an Authority Key Identifier.
I recreated the Revocation Configuration for the Online Responder and all tests and status messages show that it's now working, yet it has not resolved the issue with the errors on the certificates.
On a workstation I found heaps of events like this:
Possible detection of CVE: [CVE-2020-158] cert chain exceeded limit
Additional Information: Cert: <DT-12-17782.hestnet.com> sha1: 285A7CE1B0DFBC9EA886DB277E349EA04BE39B4F IssuerDepthCount: 13 Limit: 12This Event is generated when an attempt to exploit a known vulnerability ([CVE-2020-158] cert chain exceeded limit) is detected.
This Event is raised by a User mode process.
I searched the web for the CVE ID but it doesn't appear to be a valid CVE ID. What's even more bizarre, is the fact that it reports the issuer depth count to be 13. I don't have any intermediate CA's! Only the root CA, and then all end-entity certs are issued from there. I do have almost a dozen cross-ca certificates but from my limited understanding of PKI, they should not have any impact on the chain length.
can you show the output of these commands:
certutil -dump problemcert.cer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Hestnet ,
I am just writing to see if this question has any update.
If you need further, please confirm Crypt32's question so that we can help you better.
Thank you for your understanding and support.
Best Regards,
Daisy Zhou
Hello @Hestnet ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Best Regards,
Daisy Zhou
Hi. Yes, still having trouble.
As an experiment, I replaced crypt32.dll with an older version on a test VM. No certificate errors!
Hello @Hestnet ,
Thank you so much for your update and sharing.
I am very glad that the problem has been solved.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Best Regards,
Daisy Zhou
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 56.00000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
I ran into this on a test server of mine recently. Since this is the only information I can find on the error I want to pass on the solution. I had been adding a certificate to the local stores when I ran tests and not doing a very good job of cleaning it up. In the end this message showed up when I tried to validate a certificate who's issuer matched the certificate that i had hundreds of copies of (all with different keys and thumbprints).
So my suggestion is check your root and ca stores on your computer and see if you have ~100 certificates with the same subject and that subject is in the chain of the certificate that is giving you trouble.
Good luck!
Hi @Josh Powers ,
Last night I decided to have another look for any new information and I came across your posts on gibhubmemory. You gave me the clue I needed to resolve it. I had more than a hundred CrossCA certificates on the CA server.
Thanks, I owe you one!
Regards,
Luke Hester
Hello @Hestnet-9240,
Thank you for posting here.
Please check the following information:
1.On the machine with certificate "On the general tab the error is "A system-level error occurred while verifying trust."", if you try to request a new test certificate, check whether there is the same isuue on the new certificate?
2.Also check Certification Path tab on the new test certificate, if there is root certificate.
3.Did this problem appear suddenly? Or did you make any changes to the environment before the problem occurred?
4.Did you install latest updates on all these machine?
5.On one probelmatic machine, can you ping CA server successfully?
For example:
certutil
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
I suspect the problem is with your SHA512 signature. It is strongly recommended to use SHA384 at most, because due to performance reasons SHA512 is not always and everywhere enabled. For example: https://support.microsoft.com/en-us/topic/sha512-is-disabled-in-windows-when-you-use-tls-1-2-5863e74e-e5b6-cc3b-759b-ece8da875825
And in practice, SHA512 is really an overkill from any standpoint. I would recommend to downgrade it to SHA384.
I changed all the request templates that were using a SHA512 signature to SHA384. I also renewed the CA root certificate, and it now has a SHA384 signature as well. I requested a new certificate on one of the machines, but the error still appears.
I changed all the request templates that were using a SHA512
what is the algorithm name you see in newly issued certificates?
sha384ECDSA
Ok, last resort: can you run certutil -verify -urlfetch cert.cer against a problematic certificate and show the output?
Issuer:
CN=Hestnet Root Certification Authority
O=Hestnet
C=AU
DC=hestnet
DC=com
Name Hash(sha1): 8a3a4d1e46f66fcaec5c1d9630a07e05b38b8004
Name Hash(md5): cee36844a91cc0762198d5b9610c89eb
Subject:
CN=Luke H. Hester
OU=Administrators
OU=Users
OU=Users & Computers
DC=hestnet
DC=com
Name Hash(sha1): 8acd9eb4800f9880869f94a865d117394fe98a27
Name Hash(md5): 1ddef27a113139c8d5ccdf4ccef15a51
Cert Serial Number: 4900000520da7aef1b5685130d000a00000520
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
CertUtil: -verify command FAILED: 0x80090006 (-2146893818 NTE_BAD_SIGNATURE)
CertUtil: Invalid Signature.
@Vadims Podāns I had another look at it last night and I was able to resolve it finally. There were more than 100 CrossCA certificates in the store. I revoked them all and then I removed each one from the AIA Container using pkiview.
This is not normal. Why you created 100 cross-certs?
I don't really know but I think it's because I renewed the root certificate a few times when I was setting up the server. I made some mistakes in the beginning.
Hi Daisy,
I will continue to search for the specific Windows Updates that cause the issue, and I will post them here.
Regards,
Luke Hester
Hello @Hestnet-9240,
Thank you for your update.
If you have any update, please post here.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
KB4598287 is a security update for Windows 8.1 and Windows Server 2012 R2. I have confirmed that installing this update causes the issue.
KB4598285 and KB4601384 are monthly rollups applicable to Windows 8.1 and Windows Server 2012 R2. Installing either of these updates will also causes the issue.
For Windows 10 and Windows Server 2019. I believe the patch Tuesday updates for January 2021 have caused the issues. All my machines have this update installed already so I have not verified this. The updates cannot be uninstalled. I would prefer they stay installed anyway to keep systems secure.
I suspect the following updates would cause the issue:
There's probably more I could list that are applicable for other versions of Windows.
I'm not experiencing any issues with the applications that use these certificates, so I will ignore these errors for now.
I suspect the changes Microsoft made to the CyrptoAPI for CVE-2021-1679 in these recent patches may have something to do it. Hopefully, a future patch from Microsoft will resolve it.
Regards,
Luke Hester