Choose the right Office to activate: O16 – 2016.
Microsoft support also noted there wouldn’t be any fix or patch coming for this short of the next release. The two last SAC (Semi-Annual-Channel) releases (17) are Server Core and these were not tested for this article. Microsoft said that only the 1607 version of Windows Server 2016 had this issue. The second method, though not recommended, would be to copy the cert file to one of those machines into any folder there and run the certutil -verify command from there. Place the files and the certificate file you’re wanting to check in a separate folder and run it from there.
They suggest you should copy the certutil (and the accompanying ) file from the System32 folder on either a Windows Server 2012 R2, Windows Server 2019 or Windows 10 machine. So, Microsoft’s response was a workaround when using certutil on Windows Server 2016 (Build 1607) for the -verify switch. The Issuance and Application policies are checked. To verify this, the customer ran the certutil utility copied from both Windows 10 and a Windows 2019 Server with positive and expected results on the Windows 2016 Server.
The customer was naturally confused and reached out to Microsoft explaining the issue and the steps he’d taken, and its response confirmed that there is an issue with the certutil.exe utility in Windows Server 2016 (Build 1607). However, running the certutil utility copied from a Windows 2012 R2 Server () and against the same test certificate, the command completed successfully and verified the policies. SubjectAltName: Other Name:Principal Contoso UserĬert: 9da2e8296a7ce657bc7d6affc876d00feaed19d8Ĭannot find object or property. Subject: CN=Rosie Cardel, CN=Users, DC=contoso, DC=com Issuer: CN=Contoso CA2, DC=contoso, DC=com I issued a certificate from a CA where High Assurance and a Legal Issuance policy, as well as EKUS, were specified on the template. Here is the last section of the results from a test certificate on the same build of Windows 2016 to confirm this. Of course, now the customer thought that the certificate was bad, based on a failure to show any customized policies that should have been there, as indeed they were on other certs on other machines from the same Issuing CA. During the verification process, the Issuance and Application policies that were enforced by the Issuing CA were not enumerated and verified. Running the command with no extra options, the command indicates a failure in the output (see figure below). Recently one of our colleagues at nCipher in England related to us an issue reported by one of its customers using the certutil -verify -urlfetch command against an issued end-entity certificate on Windows Server 2016 (Build 1607).