Certdog Errors and Solutions
The following contains some common errors that may be experienced when using Certdog together with their solutions
There are no CA issuers that can process a request. This may be because you do not have permissions on any of the configured CA issuers
Error Details
When you navigate to Request by CSR or DN this message appears and you are unable to see any CA Issuers
Solution
This is because the Team(s) you are a member of have not been assigned any permissions on CA Issuers. To rectify, first click on the top right user icon and select Profile under My Account
The Team(s) you are a member of will be highlighted. Note these teams
Next click on Teams from the menu, select one of the Teams you noted above and click View/Edit
Next to Permitted Certificate Issuers, select the issuers that you wish this team to have permissions to obtain certificates from. As you are a member of this team you will also be provided with these permissions
Re-attempt the certificate issuance
A CSR generator must be configured before you can request a certificate from a DN
Error
When navigating to Request - DN, this error is presented
Solution
If you want to request a certificate by only supplying the DN, Certdog must also create the CSR (Certificate Signing Request) on your behalf. In order to do this a CSR Generator is required
To create a new CSR generator follow the steps outlined here
Credential fails when attempting to obtain templates or certificates from a Microsoft CA (ADCS)
Error
A credential is configured but when attempting to obtain templates or a certificate the following is seen:
The request to obtain the templates from the CA agent failed. Reason: There was an error obtaining the templates from the CA. Check the CA details are correct - they should be in the format 'hostname\ca name' as returned in the Config entry when certutils is run. Details (Logon failure: the user has not been granted the requested logon type at this computer)
Or
The request to obtain the certificate failed. Reason: Failed to process request. Logon failure: the user has not been granted the requested logon type at this computer
The important part being:
Logon failure: the user has not been granted the requested logon type at this computer
Solution
A service account should be used as a credential when accessing the Microsoft CA. The credential should be configured with the Deny logon locally and the Logon as a service user right assignments. If either Deny logon locally or Logon as a service are not set, this error will occur
You may run rsop.msc to obtain the local policy settings and check the assignments for the group that the user is a member of
Arrange for the correct permissions and assignments to be added to the user. See here for information on how to configure the account correctly
You may also try running the ADCS Agent service under this account and setting the credential in the Microsoft Certificate Issuer to be No Credential (use local agent account). See here for more details
Login screen runs slow
On some virtual machines that have limited graphics processing power or that may have 3d acceleration switched off, the login screen can appear to run slow
Error
Login screen slow to respond
Solution
This is due to the login screen background. This can be removed as follows:
-
Stop the Krestfield Certdog Service
-
Delete (or move to a backup location if still required) the following file:
[certdog install]\tomcat\webapps\certdog#ui\background.mp4
- Start the Krestfield Certdog Service
If your browser is still showing the background this will be because of the browser cache. Try closing the browser or performing a full refresh (e.g. CTRL-F5 on Chrome)
Cannot stop Krestfield CertDog Service
Error
Windows could not stop the Krestfield CertDog Service service on Local Computer.
Error 1061: The service cannot accept control messages at this time
Solution
Open a PowerShell window as Administrator and navigate to: [certdog install]\bin
Run .\stop-tomcat.ps1
Next, open task manager, click on the Services tab and locate Krestfield Certdog Service
Right click and select Go to details
Click certman-service.exe and click End task
The request to obtain the certificate failed. Reason: Failed to process request. Index was outside the bounds of the array
Error Details
Applicable to versions up until version 1.6 only
If running the Krestfield ADCS Service under a specific Service Account and you have set the Microsoft CA Issuer in Certdog to use No Credential. You may see this error when requesting a certificate
Solution
Set the Krestfield ADCS Service to run under the Local System account and set the service account (that has permissions on the CA) as a Credential in Certdog. For your Microsoft Certificate Issuer - select this credential
Creating a CA using an AWS CloudHSM Key Store fails
Error Details
The AWS CloudHSM client has been configured on the machine and a key store configured in Certdog. When attempting to create a new CA, you see the following error:
There was an error creating the new CA. There was an error whilst creating the root CA: Signing Exception: There was an error generating the raw signature. Signing Exception: Signing error. Signing Exception: There was an error signing the data: CKR_FUNCTION_FAILED
Checking the CloudHSM log (on windows the default location is here C:\Program Files\Amazon\CloudHSM\cloudhsm-pkcs11.log.[timestamp]) you see errors such as:
2022-05-26T07:53:48.054Z ERROR [3908] ThreadId(3) [cloudhsm_pkcs11::sign::rsa_pkcs] Key 1310835 does not meet the availability requirements - The key must be available on at least 2 HSMs before being used.
2022-05-26T07:53:48.054Z ERROR [3908] ThreadId(3) [cloudhsm_pkcs11::sign::C_SignInit] C_SignInit failed, returning 0x00000006
Then this is due to the default availability requirements being enabled on the CloudHSM client. Which (as the error message above indicates) requires that the key be available on at least 2 HSMs before being used
If you only have a single HSM configured this will never be the case
Solution
Switch off the key availability check as follows
For Windows:
Open a command prompt, as Administrator. Navigate to the bin directory (as below) and then run the following command:
C:\Program Files\Amazon\CloudHSM\bin>configure-pkcs11.exe --disable-key-availability-check
Restart the Certdog service
For Linux, from a shell run the following:
sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check
Restart the Tomcat service
The Krestfield CertDog Service doesn’t start
Error Details
The following message is seen whilst attempting to manually start the service
The Krestfield CertDog Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.
Solution
Check the windows Event Log and navigate to Windows Logs, Application
If you locate event ID 7172 with the following message:
Unable to start the system. No master password has been set. Run the set master password script
Open a PowerShell window as Administrator and navigate to [certdog installation]\install e.g. c:\certdog\install
Run the following command
.\start-certdog-service.ps1
When prompted enter the Master Secret/Password. This is the passphrase that would have initially been saved to MasterSecret.txt at installation
Database Fails to Start after SSL Configuration
Error Details
The Krestfield Certdog Database service fails to start
This can happen after the database SSL certificate has been renewed
Checking the log file here [certdog install]\mongodb\mongod.log there is an InvalidSSLConfiguration error, with message Failed to find PEM blob header e,g,:
{"t":{"$date":"2022-06-30T17:44:09.963+00:00"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Failed to find PEM blob header: -----BEGIN CERTIFICATE-----"}}}
Solution
The database is very sensitive to file formats. If the certificate PEM file ([certdog install]\config\sslcerts\dbssl.pem) was saved as UNICODE, the database will not read it correctly. Open the certificate file and save as UTF-8 using a suitable text editor
Get “CA does not have any certificates configured” when requesting a certificate
Error Details
The error message Error Generating Certificate, Unable to process certificate request as the CA specified: IssuingCA1 does not have any certificates configured is displayed when attempting to request a certificate from a Microsoft CA
Checking the log you see an entry such as:
There was an error whilst attempting to retrieve the CA certificates from the CA. Unable to obtain certificates from the CA. CCertAdmin::GetCAProperty: Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
which is reported from the agent when the Certificate Issuer is configured
Solution
This is a permissions issue. The account used by the agent does not have the correct permissions on the CA. To rectify, follow the guide here: https://krestfield.github.io/docs/pki/setting_adcs_template_permissions.html and also ensure that the account has Issue and Manage Certificates and Request Certificates permissions on the CA itself (managed via Properties)
One the permissions have been updated, delete the issuer and re-create. Check the logs for errors
Using a PKCS11 token gives CKR_TOKEN_NOT_PRESENT or CKR_DEVICE_REMOVED
Error Details
After creating a PKCS11 Key Store, attempting to create a CA gives an error stating CKR_TOKEN_NOT_PRESENT e.g.
There was an error initialising: Token Exception: PKCS#11 Token: Unable to login to Token. CKR_DEVICE_REMOVED
Solution
This usually means that the hardware device (e.g. HSM) is not currently online or may not been configured correctly for this server
Start the server (or re-connect)
Run the vendor tools to confirm the device has been configured correctly and allows this client (where Certdog is running) to access it. Also ensure that the PKCS11 interface has been configured
Ensure any environment variables have been set e.g. for Utimaco the CS_PKCS11_R3_CFG environment variable must be set. If you set this ensure you restart the services to pick up the change
If after making changes the error still occurs, stop and start the Krestfield CertDog Service as underlying processes can cache failed attempts and this cache can only be cleared via a restart
DN Restrictions do not restriction wildards in Common Name
Error Details
Configure a DN restriction to Deny Wilcard Domains but domains such as *.org.com are still permitted in the Common Name (CN) field
Solution
Domains are not restricted in the Common Name field as this field is not checked to validate domains (for TLS certificates), rather this processing is carried out on the Subject Alternative Name extension
The CA Browser Forum Baseline Requirements have required the presence of the Subject Alternative Name extension since 2012, and use of the subject common name was deprecated in RFC 2818
Cannot add wildcard IP Address to SAN
Error Details
Attempting to add a wildcard IP address to a SAN (such as *.168.100.57) gives an error such as IP Address is invalid
It is neither possible to restrict wildcarded IP Addresses from the DN Restrictions
Solution
IP Addresses must be specified explicitly and cannot contain a wildcard
RFC2818 states
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
Note RFC6125 mentions that IP Addresses are out of scope as they are not reliable identifiers for application services
It is recommended that DNS domain names are used in place of IP addresses
Unable to login
Error Details
A user is unable to login.
Solution
If an admin is able to login still, check the logs for the failure reason. From the User’s menu, select the user and either enter a new password or generate a random one and email.
If the locked out user is the administrator. See here for how to reset the admin password manually.
The password you entered is incorrect
Error Details
When importing a PKCS12 file generated by certdog into a legacy version of Windows (e.g. Server 2012 and Server 2016) the import fails with the error “The password you entered is incorrect”.
Solution
Certdog uses strong encryption to protect the PKCS#12 files. Older versions of windows use a legacy based encryption mechanism and have not been updated to support more modern methods.
There are a few options available to overcome this issue:
- Use openssl to convert the PKCS#12 file to use legacy algorithms
- Import the PKCS#12 file into a newer version of windows (e.g. Windows Server 2022 or Windows 11), marking it as exportable. Then export, ensuring you choose
TripleDES-SHA1as the Encryption option. - Update the start script to revert certdog to use legacy algorithms for PKCS#12 files
To use OpenSSL
The following example is for an initial PKCS12 file (generated by certdog) called strong.p12, protected with a password of password. This outputs a weakly protected PKCS#12 version called legacy.p12 under a password of password. Update the values as required:
openssl pkcs12 -in strong.p12 -nocerts -nodes -out key.pem -passin pass:password
openssl pkcs12 -in strong.p12 -clcerts -nokeys -out cert.cer -passin pass:password
openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey key.pem -in cert.cer -out legacy.p12 -passout pass:password
Delete the key.pem file after the conversion as this file contains the private key in clear text.
To Revert to Legacy Algorithms
Locate and open for editing the following file: start-tomcat.ps1
This will be in the \bin directory (e.g. C:\certdog\bin or C:\certdogfree\bin)
Locate the following line within this file:
$env:JAVA_OPTS = "-Djavax.net.ssl.trustStore=`"$jksLocation`" -Djavax.net.ssl.trustStorePassword=temp1234! -add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED"
And update it to include -Dkeystore.pkcs12.legacy
So the complete line is as follows:
$env:JAVA_OPTS = "-Djavax.net.ssl.trustStore=`"$jksLocation`" -Djavax.net.ssl.trustStorePassword=temp1234! -Dkeystore.pkcs12.legacy --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED"
Save the file
Restart the Krestfield CertDog Service