Solved

Entrust Entelligence 9 on Win 7 could not find Certification Authority

Posted on 2013-12-31
7
2,349 Views
Last Modified: 2014-01-10
All Entrust Entelligence 9 installation on WinXP are running well. However, not all installed on Win 7. They all have same message "The mandatory policy for your Entrust security store is unavailable". There is another message prompted right after PC bootup, "Unable to find Certification Authority(CA) and Directory configuration information".

I was told to test the connection to some specific CA server. However, I do not know how to verify the connection to CA, other than using "ping". How to check if there is any setting on Win 7 blocks it?

Thanks
0
Comment
Question by:ChihChieh
  • 4
  • 3
7 Comments
 

Author Comment

by:ChihChieh
ID: 39748515
Same epf is working on WinXP, but not on Win 7, and both PCs are in the same network segment
0
 
LVL 62

Expert Comment

by:btan
ID: 39749526
You may want to see if below help e.g. pkiview
@ http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store @ http://support.microsoft.com/kb/295663

Also not the FW rules for Active Directory Certificate Services
@ http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

Another means I was thinking is request certificates from a Windows-based certification authority (CA), you use the CA Web enrollment pages (assuming that is running in CA provisioning in your infra). E.g. https://servername/certsrv, where servername is the name of the server hosting the CA Web enrollment pages. We can try servername based on IP direct and its FQDN name. Both should work
@ http://technet.microsoft.com/en-us/library/cc770647.aspx
0
 

Author Comment

by:ChihChieh
ID: 39756241
I located two applications "eesystry" and "eecwatch" generated error message "could not find Certification Authority". Looking into the log file, it said "PKI Configuration Data is missing from the registry".
Is there any reference that I can manually add this PKI configuration data inregistry to show both applications where the Certificate Authority?
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 62

Expert Comment

by:btan
ID: 39756743
I was thinking using pkiview to see what is working in the xp based on the necessary ntstore and fields needed. Then run it again in win7 to see what is missing...at least the backend is fine...

http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

I don't really recommend touching the registry or schema unnecessarily, you should raise the suppory to the entrust folks even initially.  

Coming back, There is also certutil.exe

The certification utility (certutil.exe) command allows you to determine the validity of issued certificates through the use of two switches:

certutil -verify –urlfetch

Using the –verify –urlfetch FileName switch allows you to see the output of the URL for each certificate. If it succeeds, it will display a “verified” output. If it fails, it will display an “error” output.

certutil -viewstore

The –viewstore output allows you to see the contents of a specific Active Directory Domain Services store or object, which lets you choose to view all certificates in that store.

If the certutil command does not function correctly, or you do not have a certificate, you will receive an error message that it failed.
0
 
LVL 62

Expert Comment

by:btan
ID: 39756749
Why I also say support should be better position since this is specific to the product though it uses the Windows Crypto API and has its interface to it. The tools so far (including the one link below) is more of example on the scenario using Windows CA not the Entrust application/CA. Will be good to see if error codes can help from event viewer (application or security) any specific application errors flagged out

http://blogs.msdn.com/b/windowsvistanow/archive/2008/04/08/troubleshooting-certificate-enrollment.aspx

Entrust in Windows
http://entrust.wpengine.netdna-cdn.com/wp-content/uploads/2013/05/esp_overview.pdf

Application Configuration
Security Provider will not use the traditional Entrust technique of storing configuration data in the entrust.ini file. While the entrust.ini file is simple to edit and easily ported to different systems and platforms, it has some limitations. The biggest limitations are that it can only contain data for one PKI and it is not easily managed remotely.

To overcome these limitations Security Provider will not use an “ini” file and configuration data will be stored in the Windows registry. The data will be stored to allow for multiple PKIs and remote management via common registry tools or Group Policy in an environment where Microsoft Active Directory is deployed.

Application configuration data will be stored in the Windows registry in both the machine and user settings. The machine settings will be used to store global configuration data included with the setup package and the user settings will be used to store per user configuration data generated at runtime.

Security Policy
Security Provider supports configuration data that is specified in Entrust policy certificates, which enforce settings such as password rules and inactivity timeout settings. The policy certificates will be stored in the CryptoAPI certificate store and data is customized by the Entrust Administrator in Entrust Authority on a per role basis.


FYI, (sidetracking) Understand that Entrust has a Entrust Solo based on self signed cert and does not communicate with a CA or other Public Key Infrastructure components. May be simpler if is for testing only. Solo has its own registry (pg 5 in link)

http://entrust.wpengine.netdna-cdn.com/wp-content/uploads/2013/05/eesolo_91_FAQs.pdf
0
 

Author Comment

by:ChihChieh
ID: 39760946
The suggestion of Entrust reminded for alternative, and reminded me to check the reliability of installation package. It was solved after locateing the original installation package, and verified. Thanks
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39761203
Glad it helped then in another way.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now