Thursday, October 12, 2017

 

[CertificationAuthority] Windows CA Signing 작업 수행하기(Event 17 Troubleshooting)



Windows CA Signing 작업 수행하기(Event 17)





Log Name:      Application
Source:        Microsoft-Windows-NetworkDeviceEnrollmentService
Date:          2017-10-11 오후 3:30:52
Event ID:      17
Task Category: None
Level:         Error
Keywords:    
User:          Domain\NdesService
Computer:      CA_Server
Description:
The Network Device Enrollment Service cannot retrieve required information, such as the transaction ID, message type, or signing certificate, from the client's PKCS7 message (0x80090006).  Invalid Signature.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-NetworkDeviceEnrollmentService" Guid="{73144342-19D1-47A4-94DE-D38E6A054AD5}" />
    <EventID>17</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-10-11T06:30:52.689000700Z" />
    <EventRecordID>1772924</EventRecordID>
    <Correlation />
    <Execution ProcessID="15136" ThreadID="10532" />
    <Channel>Application</Channel>
    <Computer>CA_Server</Computer>
    <Security UserID="S-1-5-21-3168535572-3829850731-2228477670-1641" />
  </System>
  <EventData Name="EVENT_MSCEP_FAIL_TO_RETRIEVE_INFO">
    <Data Name="ErrorCode">0x80090006</Data>
    <Data Name="ErrorMessage">Invalid Signature.</Data>
  </EventData>
</Event>


[Explanation]

Cisco ISE를 통해서 인증 처리를 수행하는 고객사가 있었는데, ISE 자체 인증서가 만료되어 해당 인증서를 갱신하였다. 하지만 상기 이벤트 메시지처럼 갱신한 이인증서가 기존 인증기관(CA)에 인증을 거치지 않았기 때문에(Signing) 에러 이벤트가 발생하였다. 그래서 아래와 같이 ISE의 pem에 대해 Signing하는 방법에 대해 공유하고자 한다. 

1. In your web browser address bar, type the IP address of the server where the Certification Authority is installed, followed by certsrv.
For example: https://CA Server address/certsrv

2. Click the Request a Certificate link.

3. Click the Advanced certificate request link.

4. Click Submit a certificate.

5. Paste the contents of your CSR file into the Saved Request text box.


6. For content inspection certificates for outbound traffic, from the Certificate Template drop-down list, select Subordinate Certification Authority. 
7. Click Submit.

8. Select proper encoded type and download certificate






참고 페이지는 이곳입니다.

♔♔♔♔♔♔♔♔♔♔






댓글이나 의견은 언제든지 환영합니다.

Your Comments are Always Welcome!
Share:

0 comments:

Post a Comment