We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Getting hresult: 0x8007054F error for any certificatesRSS

18 replies

Last post Apr 26, 2021 07:36 AM by samwu

  • Getting hresult: 0x8007054F error for any certificates

    Apr 02, 2021 02:43 PM|josh-hemphill|LINK

    If I try to select any of the auto-enrolled domain-issued certificates for binding https, I get

    An internal error occurred (Exception from HRESULT: 0x8007054F)

    The certificate has the private key exportable, and it's using ECDSA521 and SHA512 cryptography. I'm not sure what else to do.

    EDIT:

    After trying many different certificate template settings, I've discovered this is happening with any certificate that requires CA Certificate Manager Approval for issuance... Even though it's been approved and is in the key store.

    Although, now my other certificate that does not require that is having the same issue...

    I'm completely at a loss.

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 05, 2021 02:34 AM|samwu|LINK

    Hi josh,

    josh-hemphill

    An internal error occurred (Exception from HRESULT: 0x8007054F)

    Did you get any other error messages? It is impossible to determine the problem based on this error message alone. and how did you use the auto-enrolled domain-issued certificates?

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 05, 2021 02:01 PM|josh-hemphill|LINK

    No other error messages. Yeah, if it was a descriptive error message, I might at least know what logs or areas to look at.

    I'm not sure what you mean by how I used the certificates. I issued them, they appeared in the local machine certificate store as valid for assigning in IIS, I opened the site bindings, and selected the cert, but when trying to confirm the site bindings it throw that error.

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 06, 2021 07:30 AM|samwu|LINK

    Hi josh,

     

    josh-hemphill

    I'm not sure what you mean by how I used the certificates. I issued them, they appeared in the local machine certificate store as valid for assigning in IIS, I opened the site bindings, and selected the cert, but when trying to confirm the site bindings it throw that error.

    Are there any related error messages in the Event Viewer? How did you generate the certificate?

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 06, 2021 04:57 PM|josh-hemphill|LINK

    Hi,

    After turning on the logging for IIS I'm only getting what seems to be events of changes being successfully committed:

    IIS-Configuration > Operational

    Changes have successfully been committed to 'MACHINE/WEBROOT/APPHOST'.
    Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@sslFlags' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
    Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@bindingInformation' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
    Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@protocol' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
    Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
    Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
    

    The Administrative log just listed warnings about not finding schemas. IIS-Configuration > Administrative

    Unable to find schema for config section 'system.serviceModel/tracking'. This section will be ignored.
    Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
    Unable to find schema for config section 'system.serviceModel/extensions'. This section will be ignored.
    Unable to find schema for config section 'system.xaml.hosting/httpHandlers'. This section will be ignored.
    Unable to find schema for config section 'system.serviceModel/serviceHostingEnvironment'. This section will be ignored.
    Unable to find schema for config section 'system.serviceModel/tracking'. This section will be ignored.
    Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
    Unable to find schema for config section 'system.serviceModel/extensions'. This section will be ignored.
    

    I've tried creating the certificate by using the auto-enrollment dialog in the certificate manager, using the certificate manager to manually create a CSR and export/import the certificate. Using the CSR tool in IIS doesn't work for me because it will only let me use the "Web Server" template and not the the copy we have that supersedes it to drop support for older versions of windows to enable ECDSA/ECDH. I've also created other templates with exportable private keys, alternate signature formats, requiring providers, requiring approval, allowing key-based renewal, and every combination I could think of, all producing the same result.

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 07, 2021 07:26 AM|samwu|LINK

    Hi josh,

    josh-hemphill

    I've tried creating the certificate by using the auto-enrollment dialog in the certificate manager, using the certificate manager to manually create a CSR and export/import the certificate. Using the CSR tool in IIS doesn't work for me because it will only let me use the "Web Server" template and not the the copy we have that supersedes it to drop support for older versions of windows to enable ECDSA/ECDH. I've also created other templates with exportable private keys, alternate signature formats, requiring providers, requiring approval, allowing key-based renewal, and every combination I could think of, all producing the same result.

    To fix this issue, you could try to specify the username in applicationhost.config like this :

    <virtualDirectory path="/" physicalPath="D:\mynewsite1" userName="******" password="*********" />

    The warning should be related to the .net framework 3.5, you may need to install Windows Communication Foundation HTTP Activation" and "Windows Communication Foundation Non-HTTP Activation under .net framework 3.5 in turn windows features on or off/ add role and feature.

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 07, 2021 02:50 PM|josh-hemphill|LINK

    No luck. Still get the same error, and the same things logged in the event viewer.

    I should mention the site is just the default site setup from the installation of the Certificate Web Services, OCSP Service, and NDES Service. The default site's root directory has permissions for `Everyone` and `ANONYMOUS LOGON` since it also hosts the CSR files for the CAs.

    While it doesn't seem to happen in tandem with the UI error I get, there are errors in the Crypto-NCrypt events, I don't know if that's relevant, but I thought I would go ahead and add it.

    Error	4/7/2021 10:19:04 AM	Crypto-NCrypt	2	Open Provider Failure
    Open Provider operation failed.
    
     Cryptographic Parameters:
     	Provider Name:	Microsoft Platform Crypto Provider
     Failure Information:
     	Return Code:	taskhostw.exe

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 08, 2021 08:59 AM|samwu|LINK

    Hi josh,

    The question should be related to the .net framework 3.5, you may need to install Windows Communication Foundation HTTP Activation" and "Windows Communication Foundation Non-HTTP Activation under .net framework 3.5 in turn windows features on or off/ add role and feature.

    Besides, check whether necessary feature in internet information service/world wide web services/application development feature in turn windows features on or off/ add role and feature has been enabled.

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 08, 2021 12:25 PM|josh-hemphill|LINK

    Yes,

    I installed both activation features and still get the same error and same events.

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 09, 2021 09:07 AM|samwu|LINK

    Hi josh,

    josh-hemphill

    Open Provider operation failed.
    
     Cryptographic Parameters:
     	Provider Name: Microsoft Platform Crypto Provider

    I found that Microsoft Platform Crypto Provider failed to open in the error message, maybe the problem is on it. you can try to rebuild  Microsoft Platform Crypto Provider.

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 12, 2021 04:29 PM|josh-hemphill|LINK

    Hi Sam,

    I'm not sure what you mean by rebuild it. After looking at documentation of what Microsoft Platform Crypto Provider is, I don't think that should be causing the IIS issue since we do not have any HSMs connected.

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 13, 2021 07:47 AM|samwu|LINK

    Hi josh-hemphill,

    You can use the SSLDiag tool to troubleshoot SSL related issues.

    More infor you can refer to this link: https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate.

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 21, 2021 08:22 PM|josh-hemphill|LINK

    Sorry I haven't updated in a bit, I had to resolve some other unrelated PKI problems first.

    I haven't had a chance to yet to try using the debugging tool yet, though I did just discover that the Windows System Log in the event viewer was getting errors that I had missed previously.

    The description reads: "A fatal error occurred while creating a TLS server credential. The internal error state is 10018."

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    	<System>
    		<Provider Name="Schannel" Guid="{1f678132-5938-4686-9fdc-c8ff68f15c85}" />
    		<EventID>36871</EventID>
    		<Version>0</Version>
    		<Level>2</Level>
    		<Task>0</Task>
    		<Opcode>0</Opcode>
    		<Keywords>0x8000000000000000</Keywords>
    		<TimeCreated SystemTime="2021-04-21T20:14:57.674535400Z" />
    		<EventRecordID>16798</EventRecordID>
    		<Correlation ActivityID="{51aa0bed-36e1-0001-4b0d-aa51e136d701}" />
    		<Execution ProcessID="684" ThreadID="800" />
    		<Channel>System</Channel>
    		<Computer>myserver</Computer>
    		<Security UserID="S-1-5-18" />
    	</System>
    	<EventData>
    		<Data Name="Type">server</Data>
    		<Data Name="ErrorState">10018</Data>
    	</EventData>
    </Event>
    
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 22, 2021 08:14 AM|samwu|LINK

    Hi josh-hemphill,

    josh-hemphill

    The description reads: "A fatal error occurred while creating a TLS server credential. The internal error state is 10018."

    Unfortunately, based on this error message, it is impossible to accurately identify the problem. what you need is to use the SSLDiag tool to troubleshoot.

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 22, 2021 03:35 PM|josh-hemphill|LINK

    I just tried to download the SSLDiag tool at the link you gave, but all the download links are dead. I found the download elsewhere though since it relies on .NET 2.0, it throws some runtime errors on launching.

    Both reports that it runs seem to return correctly with nothing incorrect.

    Here's the main report:

    System Time : Thursday, April 22, 2021 11:19:09 AM Eastern Standard Time
    Processor Architecture : x64
    OS : Microsoft Windows NT 6.2.9200.0
    Microsoft Internet Information Services 10.0
     
    SERVER SSL PROTOCOLS
    PCT 1.0 : Disabled
    SSL 2.0 : Disabled
    SSL 3.0 : Disabled
    TLS 1.0 : Disabled
    SChannel EventLogging : 1 (hex)
    -----
    [W3SVC/1]
    ServerComment   : Default Web Site
    ServerAutoStart   : True
    ServerState           : Started
     
    BINDING : http *:80: 
     
    BINDING : https *:443: 

    Note: We have just recently changed the enabled protocols to only allow TLS 1.2. But the error still persists both before and after that change.

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 22, 2021 03:47 PM|josh-hemphill|LINK

    In the Store Verification report I had three certificates I had tried.

    One has an exportable private key, and one is manually enrolled.

    The report has the following for all three:

    Encryption test passed
    Verified Issuance Policies: None
    Verified Application Policies:
        1.3.6.1.5.5.7.3.1 Server Authentication
    Certificate is valid

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 23, 2021 08:12 AM|samwu|LINK

    Hi josh,

    josh-hemphill

    In the Store Verification report I had three certificates I had tried.

    One has an exportable private key, and one is manually enrolled.

    The report has the following for all three:

    Is your SSLDiag tool 32bit or 64bit?

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 23, 2021 03:25 PM|josh-hemphill|LINK

    I used the 64bit version.

  • Re: Getting hresult: 0x8007054F error for any certificates

    Apr 26, 2021 07:36 AM|samwu|LINK

    Hi josh,

    josh-hemphill

    I used the 64bit version.

    I also tried to install the SSLDiag tool, but found that it doesn’t seem to be supported.

    You can ask for help by microsoft support: https://support.microsoft.com

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >