• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3291
  • Last Modified:

Entrust Entelligence 9 on Win 7 could not find Certification Authority

All Entrust Entelligence 9 installation on WinXP are running well. However, not all installed on Win 7. They all have same message "The mandatory policy for your Entrust security store is unavailable". There is another message prompted right after PC bootup, "Unable to find Certification Authority(CA) and Directory configuration information".

I was told to test the connection to some specific CA server. However, I do not know how to verify the connection to CA, other than using "ping". How to check if there is any setting on Win 7 blocks it?

  • 4
  • 3
1 Solution
ChihChiehAuthor Commented:
Same epf is working on WinXP, but not on Win 7, and both PCs are in the same network segment
btanExec ConsultantCommented:
You may want to see if below help e.g. pkiview
@ http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store @ http://support.microsoft.com/kb/295663

Also not the FW rules for Active Directory Certificate Services
@ http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

Another means I was thinking is request certificates from a Windows-based certification authority (CA), you use the CA Web enrollment pages (assuming that is running in CA provisioning in your infra). E.g. https://servername/certsrv, where servername is the name of the server hosting the CA Web enrollment pages. We can try servername based on IP direct and its FQDN name. Both should work
@ http://technet.microsoft.com/en-us/library/cc770647.aspx
ChihChiehAuthor Commented:
I located two applications "eesystry" and "eecwatch" generated error message "could not find Certification Authority". Looking into the log file, it said "PKI Configuration Data is missing from the registry".
Is there any reference that I can manually add this PKI configuration data inregistry to show both applications where the Certificate Authority?
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

btanExec ConsultantCommented:
I was thinking using pkiview to see what is working in the xp based on the necessary ntstore and fields needed. Then run it again in win7 to see what is missing...at least the backend is fine...


I don't really recommend touching the registry or schema unnecessarily, you should raise the suppory to the entrust folks even initially.  

Coming back, There is also certutil.exe

The certification utility (certutil.exe) command allows you to determine the validity of issued certificates through the use of two switches:

certutil -verify –urlfetch

Using the –verify –urlfetch FileName switch allows you to see the output of the URL for each certificate. If it succeeds, it will display a “verified” output. If it fails, it will display an “error” output.

certutil -viewstore

The –viewstore output allows you to see the contents of a specific Active Directory Domain Services store or object, which lets you choose to view all certificates in that store.

If the certutil command does not function correctly, or you do not have a certificate, you will receive an error message that it failed.
btanExec ConsultantCommented:
Why I also say support should be better position since this is specific to the product though it uses the Windows Crypto API and has its interface to it. The tools so far (including the one link below) is more of example on the scenario using Windows CA not the Entrust application/CA. Will be good to see if error codes can help from event viewer (application or security) any specific application errors flagged out


Entrust in Windows

Application Configuration
Security Provider will not use the traditional Entrust technique of storing configuration data in the entrust.ini file. While the entrust.ini file is simple to edit and easily ported to different systems and platforms, it has some limitations. The biggest limitations are that it can only contain data for one PKI and it is not easily managed remotely.

To overcome these limitations Security Provider will not use an “ini” file and configuration data will be stored in the Windows registry. The data will be stored to allow for multiple PKIs and remote management via common registry tools or Group Policy in an environment where Microsoft Active Directory is deployed.

Application configuration data will be stored in the Windows registry in both the machine and user settings. The machine settings will be used to store global configuration data included with the setup package and the user settings will be used to store per user configuration data generated at runtime.

Security Policy
Security Provider supports configuration data that is specified in Entrust policy certificates, which enforce settings such as password rules and inactivity timeout settings. The policy certificates will be stored in the CryptoAPI certificate store and data is customized by the Entrust Administrator in Entrust Authority on a per role basis.

FYI, (sidetracking) Understand that Entrust has a Entrust Solo based on self signed cert and does not communicate with a CA or other Public Key Infrastructure components. May be simpler if is for testing only. Solo has its own registry (pg 5 in link)

ChihChiehAuthor Commented:
The suggestion of Entrust reminded for alternative, and reminded me to check the reliability of installation package. It was solved after locateing the original installation package, and verified. Thanks
btanExec ConsultantCommented:
Glad it helped then in another way.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now