question

Hestnet-com avatar image
0 Votes"
Hestnet-com asked JoshPowers-1108 commented

Strange errors with all certificates issued from AD CS

It all started when I found an error on the certificate I was trying to import for SQL Server Reporting Services.

On the general tab the error is "A system-level error occurred while verifying trust.".
On the Certification Path tab, the root certificate is not shown in the chain like it should. There is an error at the bottom: "This certificate has an invalid digital signature".

All certificates issued from AD CS have these same errors when viewing them in the console on nearly all domain computers. Machines running an older OS, such as Vista and Windows 7, do not show any errors.

I imported one of the certificates along with the root certificate on to a non-domain joined PC (Windows 10 Home). There were no errors.

It seems I could safely ignore the errors as all applications continue to work.
I also found that the signing certificate for the Online Responder service went bad as it did not automatically renew. I had to enable a setting on the CA that allows renewal for requests which include an Authority Key Identifier.
I recreated the Revocation Configuration for the Online Responder and all tests and status messages show that it's now working, yet it has not resolved the issue with the errors on the certificates.

On a workstation I found heaps of events like this:

Possible detection of CVE: [CVE-2020-158] cert chain exceeded limit
Additional Information: Cert: <DT-12-17782.hestnet.com> sha1: 285A7CE1B0DFBC9EA886DB277E349EA04BE39B4F IssuerDepthCount: 13 Limit: 12

This Event is generated when an attempt to exploit a known vulnerability ([CVE-2020-158] cert chain exceeded limit) is detected.
This Event is raised by a User mode process.

I searched the web for the CVE ID but it doesn't appear to be a valid CVE ID. What's even more bizarre, is the fact that it reports the issuer depth count to be 13. I don't have any intermediate CA's! Only the root CA, and then all end-entity certs are issued from there. I do have almost a dozen cross-ca certificates but from my limited understanding of PKI, they should not have any impact on the chain length.


windows-server-security
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

can you show the output of these commands:

 certutil -dump problemcert.cer
1 Vote 1 ·

Hello @Hestnet-com,

I am just writing to see if this question has any update.

If you need further, please confirm Crypt32's question so that we can help you better.

Thank you for your understanding and support.


Best Regards,
Daisy Zhou

1 Vote 1 ·

Hello @Hestnet-com,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

1 Vote 1 ·

Hi. Yes, still having trouble.

0 Votes 0 ·

As an experiment, I replaced crypt32.dll with an older version on a test VM. No certificate errors!

0 Votes 0 ·

Hello @Hestnet-com,

Thank you so much for your update and sharing.

I am very glad that the problem has been solved.


As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!


Best Regards,
Daisy Zhou


0 Votes 0 ·

I ran into this on a test server of mine recently. Since this is the only information I can find on the error I want to pass on the solution. I had been adding a certificate to the local stores when I ran tests and not doing a very good job of cleaning it up. In the end this message showed up when I tried to validate a certificate who's issuer matched the certificate that i had hundreds of copies of (all with different keys and thumbprints).

So my suggestion is check your root and ca stores on your computer and see if you have ~100 certificates with the same subject and that subject is in the chain of the certificate that is giving you trouble.

Good luck!

0 Votes 0 ·
DaisyZhou-MSFT avatar image
1 Vote"
DaisyZhou-MSFT answered

Hello @Hestnet-9240,

Thank you for posting here.

Please check the following information:

1.On the machine with certificate "On the general tab the error is "A system-level error occurred while verifying trust."", if you try to request a new test certificate, check whether there is the same isuue on the new certificate?

2.Also check Certification Path tab on the new test certificate, if there is root certificate.

3.Did this problem appear suddenly? Or did you make any changes to the environment before the problem occurred?

4.Did you install latest updates on all these machine?

5.On one probelmatic machine, can you ping CA server successfully?

For example:
83941-ping1.png


certutil
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou



ping1.png (5.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hestnet-com avatar image
0 Votes"
Hestnet-com answered DaisyZhou-MSFT commented

Hi Daisy,

  1. I requested a new certificate, and the same errors appear with it.

  2. The root certificate does not appear under the Certification Path tab on the new certificate that was just requested.

  3. From looking at the event logs, it appears the issue has been present since approx 18/01/2021. I was not aware of the issue until only a few days ago.

  4. Windows Updates were installed just before the warnings started appearing. I have just discovered that updates KB4601384 and KB4598285 are the cause of the issue for one particular Windows 8.1 machine.

  5. The CA server can be pinged successfully from all affected machines.


I will continue to search for the specific Windows Updates that cause the issue, and I will post them here.


Regards,
Luke Hester

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Hestnet-9240,

Thank you for your update.

If you have any update, please post here.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

0 Votes 0 ·
Hestnet-com avatar image
0 Votes"
Hestnet-com answered

KB4598287 is a security update for Windows 8.1 and Windows Server 2012 R2. I have confirmed that installing this update causes the issue.
KB4598285 and KB4601384 are monthly rollups applicable to Windows 8.1 and Windows Server 2012 R2. Installing either of these updates will also causes the issue.

For Windows 10 and Windows Server 2019. I believe the patch Tuesday updates for January 2021 have caused the issues. All my machines have this update installed already so I have not verified this. The updates cannot be uninstalled. I would prefer they stay installed anyway to keep systems secure.

I suspect the following updates would cause the issue:

  • KB4598242 - 2021-01 Cumulative Update

  • KB4598230 - Cumulative Update

  • KB4598297 - Security-only update

  • KB4598287 - Security-only update

There's probably more I could list that are applicable for other versions of Windows.


I'm not experiencing any issues with the applications that use these certificates, so I will ignore these errors for now.
I suspect the changes Microsoft made to the CyrptoAPI for CVE-2021-1679 in these recent patches may have something to do it. Hopefully, a future patch from Microsoft will resolve it.


Regards,
Luke Hester

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
1 Vote"
Crypt32 answered Hestnet-com commented

I suspect the problem is with your SHA512 signature. It is strongly recommended to use SHA384 at most, because due to performance reasons SHA512 is not always and everywhere enabled. For example: https://support.microsoft.com/en-us/topic/sha512-is-disabled-in-windows-when-you-use-tls-1-2-5863e74e-e5b6-cc3b-759b-ece8da875825
And in practice, SHA512 is really an overkill from any standpoint. I would recommend to downgrade it to SHA384.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I changed all the request templates that were using a SHA512 signature to SHA384. I also renewed the CA root certificate, and it now has a SHA384 signature as well. I requested a new certificate on one of the machines, but the error still appears.

0 Votes 0 ·

I changed all the request templates that were using a SHA512

what is the algorithm name you see in newly issued certificates?


1 Vote 1 ·

sha384ECDSA

0 Votes 0 ·
Show more comments