Troubleshooting PKI Problems on Windows Vista. Crypto. API 2. 0 (CAPI2) Diagnostics is a feature in Windows Vista. This feature provides administrators with the ability to troubleshoot PKI problems by collecting detailed information about certificate chain validation, certificate store operations, and signature verification.
With CAPI2 Diagnostics, it is easier to identify the cause of most public key infrastructure (PKI) problems. CAPI2 Diagnostics can reduce the time required to diagnose problems and improve the troubleshooting experience. This document describes CAPI2 Diagnostics and how it can be used to troubleshoot some common PKI error scenarios. To download a copy of this document, see http: //go. Link. ID=8. 54. 84. In This Guide. CAPI2 Overview. A PKI is the combination of cryptography, software, processes, and services that enable an organization to secure its communications and business transactions. X. 5. 09 certificates can be used to identify users, devices, or organizations and to enable more secure applications, such as signed e- mail, code signing, and secure Web browsing. CAPI is the core cryptography and X. Windows. CAPI1 refers to the support for base cryptographic components, such as encryption, decryption, and hashing functions. CAPI2 refers to the support for PKI and X. Cryptography Next Generation (CNG), a new application programming interface (API) set in Windows Vista, is positioned to replace the existing use of CAPI1, although CAPI1 is still supported. This document details troubleshooting PKI errors with CAPI2 but does not cover CNG and CAPI1. Applications call CAPI2 to perform a number of tasks, such as. Build and verify certificate chains. Manage per- user and per- computer certificate stores. Encrypt/decrypt, encode/decode, and sign/verify messages. Background. PKI problems are difficult to troubleshoot in many PKI enabled applications. Many applications do not display detailed error information. For example, for many networking related errors, CAPI2 returns a . Although the general nature of the error reported is discernible, it is unclear how a user can resolve the PKI problem. The API signature was designed to return an error code and string. Since the API is public, it was not possible to extend the function to return more detailed information without breaking existing applications. In addition, some errors are too performance intensive to detect during normal operations and are better left to post processing. This makes it necessary to have better diagnostic capabilities for troubleshooting PKI in CAPI2. CAPI2 Diagnostics in Windows Vista provides logging of detailed information about certificate validation, network retrievals, revocation, and other low- level API results and errors. This enhanced functionality will help identify the cause of the PKI problem. For common PKI related errors, there are specific patterns of information in the log. Reset Firefox preferences to troubleshoot and fix problems. Resetting preferences (zoom, tabs, privacy, network, encryption, updates, where to save file downloads.This document presents an overview of CAPI2 Diagnostics, provides guidance to help you interpret the log, and identifies patterns in the log that correspond to error scenarios. This information should help diagnose PKI problems and enable developers to write tools to troubleshoot common PKI problems. Certificate Path Validation. Understanding the certificate path validation process is a fundamental requirement for troubleshooting PKI- enabled applications that use CAPI2. Consider a certificate chain, as shown in Figure 1. The root CA issues the subordinate CA certificate and the subordinate CA in turn issues the end- entity certificate. The root CA and the subordinate CA issue certificate revocation lists (CRLs) separately. The CRLs contain the serial numbers of any certificates revoked by the signing CA. The first step in certificate path validation is certificate path discovery, which refers to the process of locating the issuing CA certificates for end- entity certificates and building a certificate path up to a trusted root certificate. Intermediate CA certificates are included as part of the application protocol or are picked up from Group Policy or through URLs specified in the Authority Information Access (AIA) extension. Once the path is built, every certificate in the path is verified for validity with respect to various parameters, such as name, time, signature, revocation status, and other constraints. For details about certificate path validation, see http: //go. Link. Id=2. 70. 81. CAPI2 Diagnostics in Windows Vista. CAPI2 Diagnostics is a feature in Windows Vista that utilizes the event logging and Event Viewer to provide better logging and troubleshooting capabilities for PKI applications based on the CAPI2 API set. The event reporting and tracing system in Windows Vista allows applications, components, and drivers to publish schematized events, query log files, and subscribe to events. This system unifies the event logging system and the event tracing framework. Event logging provides the necessary functionality to allow applications to structure and classify their events so that they are can be easily organized and viewed by an administrator. The events are logged in XML format and can be viewed in Event Viewer. By logging diagnostics information in XML, it is easier to write automated troubleshooting tools. Event Viewer provides the necessary user interface to view the events and enables filtering the events based on parameters like source, level and keywords. For more information about the event reporting and tracing system in Windows Vista, see http: //go. The BITS Repair Tool will help you fix a problem caused by the corruption of BITS state files. The problem stops the host process for Windows Services, which prevents. Link. Id=8. 22. 79. Getting Started With CAPI2 Diagnostics. CAPI2 events are logged through the Microsoft- Windows- CAPI2 channel in the event log. The events are based on the common CAPI, which is part of the certificate path validation process. Enabling and Saving the CAPI2 Log. The following procedure provides information about how to enable logging, save or clear the log, and increase the log size. An administrator must perform the following procedure. To open Event Viewer, click Start, click Control Panel, double- click Administrative Tools, and then double- click Event Viewer. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. In the console tree, expand Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand CAPI2. You can now perform following actions. To enable CAPI2 logging, right- click Operational, and click Enable Log. You can save the log file in the . Event Viewer) or in . This allows only the data relevant to the problem scenario to be collected from the saved log. To clear the log, right- click Operational, and click Clear Log. For CAPI2 Diagnostics, the log tends to grow in size quickly and it is recommended to increase the log size to at least 4 MB to capture relevant events. To increase the log size, right- click Operational, and click Properties. In the log properties, increase the maximum log size. You can also enable logging and save the log by using the Wevtutil. This tool is available in Windows Vista. To do this, click Start, click All Programs, and then click Accessories. Right- click Command Prompt, and click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. At the command prompt, run the following commands. To enable logging, type wevtutil. Microsoft- Windows- CAPI2/Operational /e: true. Some events correspond to specific APIs that are called to perform the task. Writers of automated troubleshooting applications and knowledgeable developers may cross- reference information in the event with API and data structure documentation on MSDN. The events are organized as top- level events and child events that are nested under the top- level events. These child events correspond to internal steps and contain more information about the actions performed and objects referenced as part of the top- level events. For example, certificate path validation would involve the events listed in the following table. Certificate path validation events. Cert. Get. Certificate. Chain. Shows the results of building a certificate chain. Cert. Verify. Revocation. Indicates the results of revocation checking. Crypt. Retrieve. Object. By. Url. Wire. Logs details about retrieval of objects such as CRLs or Online Certificate Status Protocol (OCSP) responses from over the network. Cert. Rejected. Revocation. Info. Contains detailed error information in cases where Windows obtained invalid revocation information. X5. 09. Objects. Contains details of all objects processed as part of certificate path validation. The child events are organized in this manner because they represent steps that may be repeated several times during a top- level event. For example, Cert. Verify. Revocation might be called multiple times in the same Cert. Get. Certificate. Chain event to check revocation for different certificates in the chain. The list of various events logged and their description is available in Appendix A. For more information about these APIs, see http: //go. Link. Id=8. 22. 78. CAPI2 logs detailed information about the event in the User. Data section of the event data. You can view this through the Details tab in Event Viewer. For APIs that return meaningful extended errors, CAPI2 logs error codes and descriptions in the event in a result field as part of the event data. CAPI2 also logs flags with a value attribute that refers to the DWORD value, and a list of Boolean attributes referring to individual flags that are set. For example. < Error. Status value=. CAPI2 logs the most relevant information in certificates and other PKI objects in XML in the X5. Objects event. The following is an example of an entry for a certificate in the . X. 5. 09 objects are often referenced many times, even within a single top- level event. For example, the end- entity certificate is referenced in the . CAPI2 logs each reference of the objects using the file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
August 2017
Categories |