Certutil Bug in Windows Server 2016 Fails to Enumerate Issuance, Application Policies and OIDs

Recently one of our colleagues at nCipher in England related to us an issue reported by one of its customers using the certutil -verify -urlfetch command against an issued end-entity certificate on Windows Server 2016 (Build 1607). Running the command with no extra options, the command indicates a failure in the output (see figure below). During the verification process, the Issuance and Application policies that were enforced by the Issuing CA were not enumerated and verified. Of course, now the customer thought that the certificate was bad, based on a failure to show any customized policies that should have been there, as indeed they were on other certs on other machines from the same Issuing CA.

Here is the last section of the results from a test certificate on the same build of Windows 2016 to confirm this. I issued a certificate from a CA where High Assurance and a Legal Issuance policy, as well as EKUS, were specified on the template. Note that the chain verification was not processed as well.

Exclude leaf cert:
  Chain: cbc725c16415046c35d3bc4512653a3e009fe32b
Full chain:
  Chain: 25973944a354bde631b436aa7450cea2560bc0e1
Issuer: CN=Contoso CA2, DC=contoso, DC=com
  NotBefore: 3/7/2019 10:07 AM
  NotAfter: 3/6/2020 10:07 AM
  Subject: CN=Rosie Cardel, CN=Users, DC=contoso, DC=com
  Serial: 1800000007e993271849e6eac1000000000007
  SubjectAltName: Other Name:Principal Name=Rosie@contoso.com
  Template: Contoso User
  Cert: 9da2e8296a7ce657bc7d6affc876d00feaed19d8
Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
————————————
CertUtil: -verify command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.

However, running the certutil utility copied from a Windows 2012 R2 Server (6.3.9600) and against the same test certificate, the command completed successfully and verified the policies. (See below).


Exclude leaf cert:
25bff39287a5a529db426937115531461131915d
Full chain:
  7e8a872906157384ca5ed1e559bad2087a94040a
————————————
Verified Issuance Policies:
1.3.6.1.4.1.311.21.43 Legal Policy
1.3.6.1.4.1.12345.509.2.4 Contoso High Assurance
Verified Application Policies:
    1.3.6.1.5.5.7.3.4 Secure Email
    1.3.6.1.4.1.311.10.3.4 Encrypting File System
    1.3.6.1.5.5.7.3.2 Client Authentication

The customer was naturally confused and reached out to Microsoft explaining the issue and the steps he’d taken, and its response confirmed that there is an issue with the certutil.exe utility in Windows Server 2016 (Build 1607). To verify this, the customer ran the certutil utility copied from both Windows 10 and a Windows 2019 Server with positive and expected results on the Windows 2016 Server. The Issuance and Application policies are checked.

Here is the reproduced result I got when using certutil from a Windows Server 2019 (Build 1809):

Exclude leaf cert:
  Chain: 5d91311146315511376942db29a5a58792f3bf25
Full chain:
  Chain: 0a04947a08d2ba59e5d15eca8473150629878a7e
———————————–
Verified Issuance Policies:
1.3.6.1.4.1.311.21.43 Legal Policy
1.3.6.1.4.1.12345.509.2.4
Verified Application Policies:
1.3.6.1.5.5.7.3.4 Secure Email
1.3.6.1.4.1.311.10.3.4 Encrypting File System
1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.  

So, Microsoft’s response was a workaround when using certutil on Windows Server 2016 (Build 1607) for the -verify switch. They suggest you should copy the certutil (and the accompanying certutil.exe.mui) file from the System32 folder on either a Windows Server 2012 R2, Windows Server 2019 or Windows 10 machine. Place the files and the certificate file you’re wanting to check in a separate folder and run it from there. The second method, though not recommended, would be to copy the cert file to one of those machines into any folder there and run the certutil -verify command from there.

Microsoft said that only the 1607 version of Windows Server 2016 had this issue. The two last SAC (Semi-Annual-Channel) releases (1709 and 1803) are Server Core and these were not tested for this article. Microsoft support also noted there wouldn’t be any fix or patch coming for this short of the next release. So, for the long haul, it appears the best way to keep your certutil utility in top shape going forward is to copy a good pair of the files to your 2016 servers where needed. A little something to add to your day!

Avatar

About Mark B. Cooper aka "The PKI Guy"

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.