Putting CAPI2 logging to good use...
So there was a problem with a printer which you could connect to via SSL in order to print via IPP.
You go in and configure the printer via a web page like so:
Create New Self-Signed Certificate
Create a new self-signed certificate. Warning: This operation will overwrite the currently installed certificate with a new self-signed certificate.
Create Certificate Request
Create the Certificate Request that you will give to a Certificate Authority. The Certificate Request will be used to generate a certificate for you.
Import Certificate and Private Key
Import a certificate and private key to use as the Jetdirect certificate. (Note: This will overwrite the current Jetdirect certificate and private key.
Export Certificate
Export the Jetdirect certificate and private key.
The server was configured for “Create New Self-Signed Certificate “ However, Vista would fail to connect to the server. We would connect to https://10.10.10.34 and Vista fails with an error:
"Windows cannot connect to the printer. Make sure that you have typed the name correctly, and that the printer is connected to network."
BTW - you know you can ctrl+c when those popup boxes are there and capture the info in them right?
So – why did XP work OK but Vista failed..
Let’s start with some CAPI logging… which I discussed back on march 13 , ’07 -- http://blogs.msdn.com/spatdsg/archive/2007/03/13/troubleshooting-pki-problems-on-windows-vista.aspx
The first entry to take note of is this one – spoolsv.exe is the process which is doing a trust verification check
Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 8/6/2007 6:40:34 PM
Event ID: 80
Task Category: Verify Trust
Level: Information
Keywords: Trust Verification
User: CRISCO1\administrator
Computer: VistaCrisco.crisco.com
Description:
<UserData>
<WinVerifyTrustStart>
<EventAuxInfo ProcessName="spoolsv.exe" />
<CorrelationAuxInfo TaskId="{D0BD64A0-244A-46F0-8AA0-E80EF5952D61}" SeqNumber="1" />
</WinVerifyTrustStart>
</UserData>
Then we can clearly see that the certificate is not trusted by the Vista machine we are trying to connect with.
Log Name: Microsoft-Windows-CAPI2/Operational
Source: Microsoft-Windows-CAPI2
Date: 8/6/2007 6:40:35 PM
Event ID: 11
Task Category: Build Chain
Level: Error
Keywords: Path Discovery,Path Validation
User: CRISCO1\administrator
Computer: VistaCrisco.crisco.com
Description:
For more details for this event, please refer to the "Details" section
Event Xml:
<CertGetCertificateChain>
<Certificate fileRef="F5287D67AE6D81E7F7D6C1582BC58DBD7715C870.cer" subjectName="HP Jetdirect 0AF8ACE8" />
<ValidationTime>2007-08-07T01:40:35.389Z</ValidationTime>
<AdditionalStore>
<Certificate fileRef="F5287D67AE6D81E7F7D6C1582BC58DBD7715C870.cer" subjectName="HP Jetdirect 0AF8ACE8" />
</AdditionalStore>
<ExtendedKeyUsage orMatch="true">
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
<Usage oid="1.3.6.1.4.1.311.10.3.3" />
<Usage oid="2.16.840.1.113730.4.1" />
</ExtendedKeyUsage>
<Flags value="0" />
<ChainEngineInfo context="user" />
<CertificateChain chainRef="{15DE00A4-2C51-42E0-A086-C85E1B51E30A}">
<TrustStatus>
<ErrorStatus value="20" CERT_TRUST_IS_UNTRUSTED_ROOT="true" />
<InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ChainElement>
<Certificate fileRef="F5287D67AE6D81E7F7D6C1582BC58DBD7715C870.cer" subjectName="HP Jetdirect 0AF8ACE8" />
<TrustStatus>
<ErrorStatus value="20" CERT_TRUST_IS_UNTRUSTED_ROOT="true" />
<InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
<ApplicationUsage>
<Usage oid="1.3.6.1.5.5.7.3.1" name="Server Authentication" />
<Usage oid="1.3.6.1.5.5.7.3.2" name="Client Authentication" />
</ApplicationUsage>
<IssuanceUsage any="true" />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="spoolsv.exe" impersonateToken="S-1-5-21-4227054899-3893708993-4289900008-500" />
<CorrelationAuxInfo TaskId="{0FBD18B4-EFAD-4CFE-B4E8-1DE60B22ED57}" SeqNumber="11" />
<Result value="800B0109">A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.</Result>
</CertGetCertificateChain>
There was an option to export the cert from the printer so we do that and import it into the Vista machine trusted root store.
Try again…. Ahh a new error – Ill just paste the relevant section from the CAPI2 logs.
<UserData>
<WinVerifyTrust>
<ActionID>{573E31F8-AABA-11D0-8CCB-00C04FC295EE}</ActionID>
<UIChoice value="2">WTD_UI_NONE</UIChoice>
<RevocationCheck value="0" />
<StateAction value="0">WTD_STATEACTION_IGNORE</StateAction>
<Flags value="80000000" CPD_USE_NT5_CHAIN_FLAG="true" />
<CertificateInfo displayName="10.10.10.34" />
<RegPolicySetting value="23C00" WTPF_OFFLINEOK_IND="true" WTPF_OFFLINEOK_COM="true" WTPF_OFFLINEOKNBU_IND="true" WTPF_OFFLINEOKNBU_COM="true" WTPF_IGNOREREVOCATIONONTS="true" />
<CertificateChain chainRef="{963B980F-686F-4510-B7BA-4E400027465B}" />
<EventAuxInfo ProcessName="spoolsv.exe" impersonateToken="S-1-5-21-4227054899-3893708993-4289900008-500" />
<CorrelationAuxInfo TaskId="{4A74C3A9-C2A6-4C10-A05C-5452578D2010}" SeqNumber="6" />
<Result value="800B010F">The certificate's CN name does not match the passed value.</Result>
</WinVerifyTrust>
</UserData>
</Event>
Hrmm this one is a little more difficult.
The printer automatically creates a name like:
Subject:
OU=J7961G
OU=00110AF8ACE8
O=Hewlett-Packard Co.
CN=HP Jetdirect 0AF8ACE8
And we don’t like the name? The error is : The certificate's CN name does not match the passed value.
What does that mean?
It means that the passed value https://10.10.10.34 did not match the CN….
It does a check in crypt32.dll for the “server name” ( 10.10.10.34 ) against the CN (HP Jetdirect 0AF8ACE8 ) and fails if they are not the same.
We cannot simply connect to https://HP Jetdirect 0AF8ACE8 as it is not a proper FQDN.
So now we know we can’t get around this and change these check. How to configure this then?
The easiest way to workaround it is to generate a self signed cert which does have the proper names we can connect to.
Per the printer config page we could submit a request to a CA – but if we don’t have one then the procedure outlined below is the next best option..
Get a copy of makecert.exe ( its in the free download Platform SDK )
· Run it like so in order to create a self signed cert which has an exportable key and the proper subject.
makecert.exe -r -pe -n "CN=10.10.10.34" -b 07/01/2007 -e 07/01/2010 -eku 1.3.6.1.5.5.7.3.1 -ss My printer.cer
· The switches to make this work are the:
· –pe switch ( allow the keys to be exportable )
· -r self signed
· -eku – specify Server Auth OID
· You will see a new file called printer.cer
C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin>dir prin*
Volume in drive C has no label.
Volume Serial Number is 108D-3591
Directory of C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin
07/31/2007 10:16 AM 542 printer.cer
1 File(s) 542 bytes
0 Dir(s) 3,574,562,816 bytes free
· Now looking in your personal store via certmgr.msc you should see a cert in there with the Issued by field as “CN = 10.10.10.34”
· Right click on this cert, and export this and include the private keys.
· Now, go to the printer management web page and import the .PFX file you just exported.
· Also take the file called printer.cer – and import it to the trusted root store on the Vista machine.
You should now be able to connect OK.
Takeaways:
CAPI2 logging is very very helpful – check it out before you jump to conclusions – it may be more helpful than you realize.
Spatdsg
