SYPTOMS

Consider the following scenario: you are dumping CA database by using certutil, PowerShell or any other tool that utilizes ICertView2 interface and at some point you receive the following error

Certutil:

• CertUtil: -view command FAILED: 0x80070006 (WIN32: 6)
  CertUtil: The handle is invalid.

PowerShell (when using ICertView interface):

• CEnumCERTVIEWROW::Next: The handle is invalid. 0x80070006 (WIN32: 6)

CAUSE

This error can be caused because of handle expiration. There are two functions that control database access handle validity:

1) When the connection is opened by calling ICertView2::OpenConnection the next action must be taken within a ViewIdleMinutes period. If no action (OpenView method call) is taken within this period, the handle is released. By default, ViewIdleMinutes is 8 minutes.

2) When ICertView::OpenView method is called, the handle is valid for the period specified in the ViewAgeMinutes. If the CA database dump operation exceeds this parameter, the handle is forcedly released and the error is returned. By default, ViewAgeMinutes is 16 minutes.

STATUS

This is by design.

SOLUTION

If there is a need to extend handle validity for large output, you can increase ViewAgeMinutes property by modifying CA configuration:

1. Log on to CA server with local administrator permissions;
2. Open elevated command prompt;
3. type the following commands in the command prompt:

   certutil –setreg CA\ViewAgeMinutes X

   where X – is a number that represents handle validity in minutes.
4. Restart certificate services.

WORKAROUND

No workaround is available.

APPLIES TO

• Active Directory Certificate Services (all versions)

In the previous post we explored the techniques used to create a common revocation configuration for use with Enterprise CA.

Today we will discover another option, when you create revocation configuration for external (Standalone or 3rd party) CA. Steps to create such configurations are almost the same and differ only in certain parts.

Creating revocation configuration for Standalone CA

Consider the following scenario: you have a Standalone CA which is not connected to a network. You need to create revocation configuration for this CA. Signing certificate is issued (out of band) from that CA.

Hello folks, sorry for delayed post, one of my SSD disk suddenly dead and I was busy with data recovery.

In the previous post we discovered main interfaces and methods to retrieve Online Responder array settings and revocation configurations. Today we will learn how to use them to delete existing revocation configuration and add a new one.

Deleting existing revocation configuration

In the previous post you noticed that my OCSP server has configured one revocation configuration named “test”. Consider when we don’t need this particular configuration (say, associated CA was decommissioned). We can delete it by calling IOCSPCAConfigurationCollection::DeleteCAConfiguration method and applying changes by calling IOCSPAdmin::SetConfiguration method.

Hello S-1-1-0, CryptoGuy is back again. Recently I spent a lot of time on PowerShell Cmdlet Help Editor enhancement and didn’t had enough time to write new posts. Now I’m making a break and will continue blogging. Today I open a post series about managing Microsoft Online Responders (OCSP) with PowerShell.

Underlying API

Microsoft implemented OCSP server management via a number of COM interfaces which are directly instantiable:

• IOCSPAdmin (progID: CertAdm.OCSPAdmin)
• IOCSPPropertyCollection (progID: Certadm.OCSPPropertyCollection)

Getting basic information

At first we will start with service availability by calling IOCSPAdmin.Ping method:

Time by time I receive questions about alternate signature algorithms. What is the difference between them and what benefits are in an alternate signature algorithms.

As per TechNet article:

For certificates based on RSA algorithms, PKCS #1 v2.1 specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm. (In PKCS #1 v.1.5, only one object identifier is used to identify both the hash and asymmetric algorithms.) In addition, if you select the alternate signature format for certificates based on RSA algorithms, an enhanced cryptographic formula is used to create the signature.

Generally speaking, alternate signature algorithm (signature format) just allows to specify additional details about how signature is constructed.