MS CS with Yubihsm2 - The device that is required by this cryptographic provider is not ready for use. 0x880090030 (-2146893776 NTE_DEVICE_NOT_READY)

Anonymous
2024-11-06T15:00:24+00:00

Hi Colleagues,

I am in charge of a Microsoft CA with an offline Root and several online SubCAs. The SubCas use a YubiHSM2 to store their keys. The HSMs are directly slotted into the Servers, so there is no network in between. In general, the CA works as expected and the issuing of certificates works just fine.

However, I now have a problem that I cant seem to figure out. Whenever my colleagues try to provision several clients with autoenroll certificates my "Failed Requests" fills with a bunch of different error messages (see attached picture). After a while (up to several hours) the certificates are then eventually issued. My guess is that the HSM runs into an issue, but it should have enough resources to handle the load and the number of concurrent sessions shouldn't be at the maximum that is mentioned in the specs.

Unfortunately I cant make much sense of it.

I have several questions:

  1. Has anybody experienced this problem already? How was it solved?
  2. How can I increase visibility or loglevel to get additional information? I already upped the loglevel via certutil but that didnt have the desired result
  3. Can you recommend a way forward?
  4. Could there be an issue with the CA itself?
  5. How can I figure out which system has the issue so i can try and troubleshoot?

Cheers,

D

Windows Server Identity and access Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes
Accepted answer
  1. Anonymous
    2024-11-06T15:20:45+00:00

    Hello D0611,

    Thank you for posting in Microsoft Community forum.

    It looks like you're encountering an error with the YubiHSM2 cryptographic device. The error code 0x880090030 (NTE_DEVICE_NOT_READY) suggests that the device is not ready for use.

    Here are a few steps you can take to troubleshoot this issue:

    1. Check Device Connection:

    Ensure that the YubiHSM2 device is properly connected to your computer. Try unplugging it and plugging it back in. If it's connected via USB, try a different USB port.

    1. Install/Update Drivers:

    Make sure that the correct drivers for the YubiHSM2 device are installed. You can download the latest drivers from the Yubico website.

    1. Check Software Dependencies:

    Ensure that any necessary software dependencies or libraries required for the YubiHSM2 are installed and up to date.

    1. Reboot Your System:

    Sometimes, simply rebooting your computer can resolve device not ready issues.

    1. Check for Conflicts:

    Ensure that no other applications are conflicting with access to the YubiHSM2. Close any other software that might be using the device.

    1. Verify Device Status:

    Use any provided utility tools from Yubico to check the status of the YubiHSM2 device.

    Also, you can open PKIview.msc to check CA health.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments No comments

0 additional answers

Sort by: Most helpful