Certutil Bug in Windows Server 2016 Fails to Enumerate Issuance, Application Policies and OIDs

Recently one of our colleagues at nCipher in England related
to us an issue reported by one of its customers using the certutil -verify -urlfetch command against an issued end-entity
certificate on Windows Server 2016 (Build 1607). Running the command with no
extra options, the command indicates a failure in the output (see figure
below). During the verification process, the Issuance and Application policies
that were enforced by the Issuing CA were not enumerated and verified. Of
course, now the customer thought that the certificate was bad, based on a
failure to show any customized policies that should have been there, as indeed
they were on other certs on other machines from the same Issuing CA.

Here is the last section of the results from a test certificate on the same build of Windows 2016 to confirm this. I issued a certificate from a CA where High Assurance and a Legal Issuance policy, as well as EKUS, were specified on the template. Note that the chain verification was not processed as well.

Exclude leaf cert:
  Chain: cbc725c16415046c35d3bc4512653a3e009fe32b
Full chain:
  Chain: 25973944a354bde631b436aa7450cea2560bc0e1
Issuer: CN=Contoso CA2, DC=contoso, DC=com
  NotBefore: 3/7/2019 10:07 AM
  NotAfter: 3/6/2020 10:07 AM
  Subject: CN=Rosie Cardel, CN=Users, DC=contoso, DC=com
  Serial: 1800000007e993271849e6eac1000000000007
  SubjectAltName: Other Name:Principal Name=Rosie@contoso.com
  Template: Contoso User
  Cert: 9da2e8296a7ce657bc7d6affc876d00feaed19d8
Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
————————————
CertUtil: -verify command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.

However, running the certutil utility copied from a Windows 2012 R2 Server (6.3.9600) and against the same test certificate, the command completed successfully and verified the policies. (See below).

Exclude leaf cert:
25bff39287a5a529db426937115531461131915d
Full chain:
  7e8a872906157384ca5ed1e559bad2087a94040a
————————————
Verified Issuance Policies:
1.3.6.1.4.1.311.21.43 Legal Policy
1.3.6.1.4.1.12345.509.2.4 Contoso High Assurance
Verified Application Policies:
    1.3.6.1.5.5.7.3.4 Secure Email
    1.3.6.1.4.1.311.10.3.4 Encrypting File System
    1.3.6.1.5.5.7.3.2 Client Authentication

The customer was naturally confused
and reached out to Microsoft explaining the issue and the steps he’d taken, and
its response confirmed that there is an issue with the certutil.exe utility in Windows Server 2016 (Build 1607). To verify
this, the customer ran the certutil utility
copied from both Windows 10 and a Windows 2019 Server with positive and
expected results on the Windows 2016 Server. The Issuance and Application
policies are checked.

Here is the reproduced result I got when using certutil from a Windows Server 2019 (Build 1809):

Exclude leaf cert:
  Chain: 5d91311146315511376942db29a5a58792f3bf25
Full chain:
  Chain: 0a04947a08d2ba59e5d15eca8473150629878a7e
———————————–
Verified Issuance Policies:
1.3.6.1.4.1.311.21.43 Legal Policy
1.3.6.1.4.1.12345.509.2.4
Verified Application Policies:
1.3.6.1.5.5.7.3.4 Secure Email
1.3.6.1.4.1.311.10.3.4 Encrypting File System
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.  

So, Microsoft’s response was a
workaround when using certutil on Windows Server 2016 (Build 1607) for the -verify switch. They suggest you should
copy the certutil (and the
accompanying certutil.exe.mui) file
from the System32 folder on either a Windows Server 2012 R2, Windows Server
2019 or Windows 10 machine. Place the files and the certificate file you’re
wanting to check in a separate folder and run it from there. The second method,
though not recommended, would be to copy the cert file to one of those machines
into any folder there and run the certutil
-verify
command from there.

Microsoft said that only the 1607
version of Windows Server 2016 had this issue. The two last SAC
(Semi-Annual-Channel) releases (1709 and 1803) are Server Core and these
were not tested for this article. Microsoft support also noted
there wouldn’t be any fix or patch coming for this short of the next release.
So, for the long haul, it appears the best way to keep your certutil utility in
top shape going forward is to copy a good pair of the files to your 2016
servers where needed. A little something to add to your day!

Avatar

About Mark B. Cooper aka "The PKI Guy"

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.