MY0065 Remote Microsoft Certificate Authority Error

[MyID Support]

Error

WebConnector failed in function UpdatePolicies, error -6: CA Error (Error found in CheckPolicy: The underlying connection was closed: An unexpected error occurred on a send.)

Error in LogEvents seen when attempting to set up a Remote Microsoft Certificate Authority

Description

After following the Microsoft CA Integration Guide Document – Section 4: Remote Microsoft Certificate Authority (Untrusted domain). The New Remote CA failed to be detected in MyID and the error above was displayed in the LogEvents.

Cause

· This issue can be caused by disabling TLS 1.0 and/or TLS 1.1 on the Servers.

· This issue can also be caused by specifying the CA machine name incorrectly in the CA Path for the CA’s entry in the Certificate Authorities workflow. If you specify the name incorrectly, the CA will not appear in the drop-down list of CA names.

Resolution

· On the Server hosting the Remote CA run the following to check the CA Name. certutil -config – -ping This will display the CA Name which should match what was entered and is also in the PKIConfig table.

· If TLS 1.0/1.1 are disabled (Which is recommended). There is a registry change that can done that enables this work without enabling re-enabling TLS 1.0/1.1. Extract from the System Security Checklist document below. On the MyID servers hosting the web services, update the registry to enable .NET 4.0 components to make TLS 1.2 connections. In each of the following keys: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 set or create a DWORD SchUseStrongCrypto and set the value to 1. The procedure above configures MyID to allow the use of TLS 1.2. This means that your MyID system will continue to operate when you have disabled TLS versions lower than TLS 1.2. For more information about SSL/TLS, see section 7, Web Site Security.

[Author]

Posts