MS CS with Yubihsm2 - The device that is required by this cryptographic provider is not ready for use. 0x880090030 (-2146893776 NTE_DEVICE_NOT_READY)

[Guest D0611]

Hi Colleagues,I am in charge of a Microsoft CA with an offline Root and several online SubCAs. The SubCas use a YubiHSM2 to store their keys. The HSMs are directly slotted into the Servers, so there is no network in between. In general, the CA works as expected and the issuing of certificates works just fine.However, I now have a problem that I cant seem to figure out. Whenever my colleagues try to provision several clients with autoenroll certificates my "Failed Requests" fills with a bunch of different error messages (see attached picture). After a while (up to several hours) the certificate

 

Continue reading...

[BetaTime]

It sounds like you're dealing with issues related to auto-enrollment for certificates in a Microsoft Certificate Authority environment. Here are some steps you can take to troubleshoot and resolve the problem:

1. Check Event Logs: Look at the Event Viewer on both the CA server and the client machines. Pay close attention to the "Application" and "System" logs for any error messages related to the Certificate Services.

2. Review Failed Request Details: In the CA console, check the details of the failed requests. This can provide specific error codes or messages that can help identify the underlying issue.

3. Permissions: Ensure that the appropriate permissions are set for the user accounts or groups that are trying to enroll for certificates. The users need to have the right permissions on the certificate template.

4. Certificate Template Configuration: Verify that the certificate templates are correctly configured for auto-enrollment. Check settings such as:

   • Autoenrollment settings
   • Security settings (ensure the user/group has "Enroll" permissions)
   • Compatibility settings (ensure the template is compatible with the clients)

5. HSM Configuration: Since you are using YubiHSM2, ensure that the HSM is correctly configured and that there are no issues with key storage or access. Check the HSM logs for any errors.

6. Network Issues: Even though the HSM is directly connected, ensure there are no network issues affecting the communication between clients and the CA server.

7. Group Policy: Verify that the Group Policy Objects (GPOs) responsible for auto-enrollment are correctly applied to the client machines. You can run gpresult /h report.html on a client to check the applied policies.

8. Service Status: Ensure that the Certificate Services service is running properly on the CA server. Restarting the service can sometimes resolve transient issues.

9. Client Configuration: Ensure that the clients are properly configured to request certificates. Check the local security policy and ensure that auto-enrollment is enabled.

10. Logs and Monitoring: Consider enabling more detailed logging for the CA and the clients to capture more information about the failures.

If you can provide specific error messages or codes from the failed requests, I can help you further diagnose the issue.