Monday, November 30, 2015

Online Responder Service failed to create an enrollment request

Q: The customer implemented an internal CA structure with an OCSP server.  After a few weeks they began getting these two errors in their Application Event Logs every few hours.

The Online Responder Service could not locate a signing certificate for configuration ******.(Cannot find the original signer. 0x8009100e (-2146889714))

The Online Responder Service failed to create an enrollment request for the signing certificate template OCSPResponseSigning for configuration *********.(This operation requires an interactive window station. 0x800705b3 (WIN32: 1459))

A: After weeks of arguing with Microsoft support we reached a fourth tech who immediately identified the issue.  It was a simple registry key.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection 
ForceKeyProtection has a value of 1.
They suggested we delete the key, reboot, reconfigure the OCSP server and they haven't seen the error since.

NOTE: You might have to check this setting. If there is a GPO used to enable it, you'll have to address that to keep the change permanent.  Otherwise that reg key will come back.

Security Settings>Local Policies>Security Options>"System Cryptography: Force Strong Key Protection for User Keys stored on the computer" 

at 1:38 PM 0 comments

HOW TO - Encrypt a file with OpenSSL

Q: A customer called today needing file encryption supported by FIPS 140-2.
We found GPG, an open source solution, was not supported according to the Cryptographic Modules list - http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm but OpenSSL was supported.

A: We suggested following the excellent instructions we found here to perform file encryption using OpenSSL.  We've duplicated the steps below with one minor change.  On the first step we recommended 2048 instead of 1024.

https://www.devco.net/archives/2006/02/13/public_-_private_key_encryption_using_openssl.php


1) Generate a public & private key and store it in private.pem:
openssl genrsa -out private.pem 2048

2) Extract the public key to a file public.pem:
openssl rsa -in private.pem -out public.pem -outform PEM -pubout

3) Create a bit of data to encrypt:
echo 'If you can read this, you've successfully decrypted the file" > file.txt

4) Encrypt the file:
openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.ssl

5) Decrypt the file:
openssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txt

6) Display the contents:
type decrypted.txt
at 10:36 AM 0 comments
Subscribe to: Posts (Atom)