Certutil Bug in Windows Server 2016 Fails to Enumerate Issuance, Application Policies and OIDs
Recently one of our colleagues at nCipher in England related to us an issue reported by one of its customers using the certutil -verify -urlfetch command against an issued end-entity certificate on Windows Server 2016 (Build 1607). Running the command with no extra options, the command indicates a failure in the output (see figure below). During the verification process, the Issuance and Application policies that were enforced by the Issuing CA were not enumerated and verified. Of course, now the customer thought that the certificate was bad, based on a failure to show any customized policies that should have been there, as indeed they were on other certs on other machines from the same Issuing CA.
Expand Your PKI Visibility
Discover why seeing is securing with revolutionary PKI monitoring and alerting.
Learn More About PKI Spotlight®Here is the last section of the results from a test certificate on the same build of Windows 2016 to confirm this. I issued a certificate from a CA where High Assurance and a Legal Issuance policy, as well as EKUS, were specified on the template. Note that the chain verification was not processed as well.
Exclude leaf cert: Chain: cbc725c16415046c35d3bc4512653a3e009fe32b Full chain: Chain: 25973944a354bde631b436aa7450cea2560bc0e1 Issuer: CN=Contoso CA2, DC=contoso, DC=com NotBefore: 3/7/2019 10:07 AM NotAfter: 3/6/2020 10:07 AM Subject: CN=Rosie Cardel, CN=Users, DC=contoso, DC=com Serial: 1800000007e993271849e6eac1000000000007 SubjectAltName: Other Name:Principal Name=Rosie@contoso.com Template: Contoso User Cert: 9da2e8296a7ce657bc7d6affc876d00feaed19d8 Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND) ———————————— CertUtil: -verify command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND) CertUtil: Cannot find object or property.
However, running the certutil utility copied from a Windows 2012 R2 Server (6.3.9600) and against the same test certificate, the command completed successfully and verified the policies. (See below).
Exclude leaf cert: 25bff39287a5a529db426937115531461131915d Full chain: 7e8a872906157384ca5ed1e559bad2087a94040a ———————————— Verified Issuance Policies: 1.3.6.1.4.1.311.21.43 Legal Policy 1.3.6.1.4.1.12345.509.2.4 Contoso High Assurance Verified Application Policies: 1.3.6.1.5.5.7.3.4 Secure Email 1.3.6.1.4.1.311.10.3.4 Encrypting File System 1.3.6.1.5.5.7.3.2 Client Authentication
The customer was naturally confused and reached out to Microsoft explaining the issue and the steps he’d taken, and its response confirmed that there is an issue with the certutil.exe utility in Windows Server 2016 (Build 1607). To verify this, the customer ran the certutil utility copied from both Windows 10 and a Windows 2019 Server with positive and expected results on the Windows 2016 Server. The Issuance and Application policies are checked.
Here is the reproduced result I got when using certutil from a Windows Server 2019 (Build 1809):
Exclude leaf cert: Chain: 5d91311146315511376942db29a5a58792f3bf25 Full chain: Chain: 0a04947a08d2ba59e5d15eca8473150629878a7e ———————————– Verified Issuance Policies: 1.3.6.1.4.1.311.21.43 Legal Policy 1.3.6.1.4.1.12345.509.2.4 Verified Application Policies: 1.3.6.1.5.5.7.3.4 Secure Email 1.3.6.1.4.1.311.10.3.4 Encrypting File System 1.3.6.1.5.5.7.3.2 Client Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully.
So, Microsoft’s response was a workaround when using certutil on Windows Server 2016 (Build 1607) for the -verify switch. They suggest you should copy the certutil (and the accompanying certutil.exe.mui) file from the System32 folder on either a Windows Server 2012 R2, Windows Server 2019 or Windows 10 machine. Place the files and the certificate file you’re wanting to check in a separate folder and run it from there. The second method, though not recommended, would be to copy the cert file to one of those machines into any folder there and run the certutil -verify command from there.
Microsoft said that only the 1607 version of Windows Server 2016 had this issue. The two last SAC (Semi-Annual-Channel) releases (1709 and 1803) are Server Core and these were not tested for this article. Microsoft support also noted there wouldn’t be any fix or patch coming for this short of the next release. So, for the long haul, it appears the best way to keep your certutil utility in top shape going forward is to copy a good pair of the files to your 2016 servers where needed. A little something to add to your day!
Related Resources
Mark B. Cooper
President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.
View All Posts by Mark B. Cooper