Solved

Entrust Entelligence 9 on Win 7 could not find Certification Authority

Posted on 2013-12-31
7
2,289 Views
Last Modified: 2014-01-10
All Entrust Entelligence 9 installation on WinXP are running well. However, not all installed on Win 7. They all have same message "The mandatory policy for your Entrust security store is unavailable". There is another message prompted right after PC bootup, "Unable to find Certification Authority(CA) and Directory configuration information".

I was told to test the connection to some specific CA server. However, I do not know how to verify the connection to CA, other than using "ping". How to check if there is any setting on Win 7 blocks it?

Thanks
0
Comment
Question by:ChihChieh
  • 4
  • 3
7 Comments
 

Author Comment

by:ChihChieh
ID: 39748515
Same epf is working on WinXP, but not on Win 7, and both PCs are in the same network segment
0
 
LVL 61

Expert Comment

by:btan
ID: 39749526
You may want to see if below help e.g. pkiview
@ http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store @ http://support.microsoft.com/kb/295663

Also not the FW rules for Active Directory Certificate Services
@ http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

Another means I was thinking is request certificates from a Windows-based certification authority (CA), you use the CA Web enrollment pages (assuming that is running in CA provisioning in your infra). E.g. https://servername/certsrv, where servername is the name of the server hosting the CA Web enrollment pages. We can try servername based on IP direct and its FQDN name. Both should work
@ http://technet.microsoft.com/en-us/library/cc770647.aspx
0
 

Author Comment

by:ChihChieh
ID: 39756241
I located two applications "eesystry" and "eecwatch" generated error message "could not find Certification Authority". Looking into the log file, it said "PKI Configuration Data is missing from the registry".
Is there any reference that I can manually add this PKI configuration data inregistry to show both applications where the Certificate Authority?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Expert Comment

by:btan
ID: 39756743
I was thinking using pkiview to see what is working in the xp based on the necessary ntstore and fields needed. Then run it again in win7 to see what is missing...at least the backend is fine...

http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

I don't really recommend touching the registry or schema unnecessarily, you should raise the suppory to the entrust folks even initially.  

Coming back, There is also certutil.exe

The certification utility (certutil.exe) command allows you to determine the validity of issued certificates through the use of two switches:

certutil -verify –urlfetch

Using the –verify –urlfetch FileName switch allows you to see the output of the URL for each certificate. If it succeeds, it will display a “verified” output. If it fails, it will display an “error” output.

certutil -viewstore

The –viewstore output allows you to see the contents of a specific Active Directory Domain Services store or object, which lets you choose to view all certificates in that store.

If the certutil command does not function correctly, or you do not have a certificate, you will receive an error message that it failed.
0
 
LVL 61

Expert Comment

by:btan
ID: 39756749
Why I also say support should be better position since this is specific to the product though it uses the Windows Crypto API and has its interface to it. The tools so far (including the one link below) is more of example on the scenario using Windows CA not the Entrust application/CA. Will be good to see if error codes can help from event viewer (application or security) any specific application errors flagged out

http://blogs.msdn.com/b/windowsvistanow/archive/2008/04/08/troubleshooting-certificate-enrollment.aspx

Entrust in Windows
http://entrust.wpengine.netdna-cdn.com/wp-content/uploads/2013/05/esp_overview.pdf

Application Configuration
Security Provider will not use the traditional Entrust technique of storing configuration data in the entrust.ini file. While the entrust.ini file is simple to edit and easily ported to different systems and platforms, it has some limitations. The biggest limitations are that it can only contain data for one PKI and it is not easily managed remotely.

To overcome these limitations Security Provider will not use an “ini” file and configuration data will be stored in the Windows registry. The data will be stored to allow for multiple PKIs and remote management via common registry tools or Group Policy in an environment where Microsoft Active Directory is deployed.

Application configuration data will be stored in the Windows registry in both the machine and user settings. The machine settings will be used to store global configuration data included with the setup package and the user settings will be used to store per user configuration data generated at runtime.

Security Policy
Security Provider supports configuration data that is specified in Entrust policy certificates, which enforce settings such as password rules and inactivity timeout settings. The policy certificates will be stored in the CryptoAPI certificate store and data is customized by the Entrust Administrator in Entrust Authority on a per role basis.


FYI, (sidetracking) Understand that Entrust has a Entrust Solo based on self signed cert and does not communicate with a CA or other Public Key Infrastructure components. May be simpler if is for testing only. Solo has its own registry (pg 5 in link)

http://entrust.wpengine.netdna-cdn.com/wp-content/uploads/2013/05/eesolo_91_FAQs.pdf
0
 

Author Comment

by:ChihChieh
ID: 39760946
The suggestion of Entrust reminded for alternative, and reminded me to check the reliability of installation package. It was solved after locateing the original installation package, and verified. Thanks
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39761203
Glad it helped then in another way.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now