{"id":11988,"date":"2026-02-04T17:35:48","date_gmt":"2026-02-04T22:35:48","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=11988"},"modified":"2026-02-04T17:35:48","modified_gmt":"2026-02-04T22:35:48","slug":"venafi-cert-issuance-fails-after-windows-2022-upgrade","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=11988","title":{"rendered":"Venafi Cert Issuance Fails after Windows 2022 Upgrade"},"content":{"rendered":"<h3>Certificate Issuance Fails<\/h3>\n<p>After requesting a certificate, the request immediately fails with the error:<\/p>\n<p>Failed to post CSR with error: Unknown certificate profile type.<\/p>\n<p>I <em>think<\/em> it is just a coincidence, but wanted to document the scenario in case it comes up again. The application makes web calls to a vendor API to issue certs. The API calls, after the upgrade, were failing.<\/p>\n<p>In this scenario, a call was being made to {base_url}\/api\/ssl\/v1\/types, the connection failed. Since the list of valid certificate profiles could not be retrieved, the request failed saying the certificate profile was unknown.<\/p>\n<p>GET <a href=\"https:\/\/hard.cert-manager.com\/api\/ssl\/v1\/types?organizationId=####\">https:\/\/hard.cert-manager.com\/api\/ssl\/v1\/types?organizationId=####<\/a><\/p>\n<p>Looking at a debug trace, the following flow was observed:<\/p>\n<ul>\n<li>Authentication headers sent: login=&lt;REDACTED&gt;, password=&lt;REDACTED&gt;, customerUri=&lt;REDACTED&gt;<\/li>\n<li>Transport-level failure (no HTTP status returned on the failing attempt)\n<ul>\n<li>Symptoms: \u201cDecrypt failed with error 0X90317\u201d followed by \u201cThe underlying connection was closed: The connection was closed unexpectedly.\u201d<\/li>\n<li>Context: Revocation checks reported \u201crevocation server was offline,\u201d then the client proceeded; long idle\/keep-alive reuse likely contributed to the close.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Connection reuse vs server keep-alive: Apache is advertising Keep-Alive: timeout=3. The .NET client is reusing long-idle TLS connections via the proxy; by the time it sends application data, the server\/proxy has already closed the session, leading to \u201cunderlying connection was closed\u201d errors.<\/p>\n<p>Revocation checks through the proxy: The .NET trace shows \u201crevocation server was offline\u201d before proceeding. That extra handshake work plus proxy blocking CRL\/OCSP can increase latency and contribute to idle reuse issues.<\/p>\n<p>.NET SChannel quirks: Older HttpWebRequest\/ServicePoint behaviors (Expect100-Continue, connection pooling) can interact poorly with short keep-alive servers\/proxies.<\/p>\n<p>Luckily, this is a .NET application, and you can create custom configuration files for .NET apps. In the file with the binary, look for a text file named BinaryName.exe.config<\/p>\n<p>If none exists, create one. The following disables the proxy:<\/p>\n<p>&lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;utf-8&#8243;?&gt;<br \/>\n&lt;configuration&gt;<br \/>\n&lt;system.net&gt;<br \/>\n&lt;!&#8211; Turn off use of the system proxy for this app &#8211;&gt;<br \/>\n&lt;defaultProxy enabled=&#8221;true&#8221;&gt;<br \/>\n&lt;proxy usesystemdefault=&#8221;false&#8221; \/&gt;<br \/>\n&lt;\/defaultProxy&gt;<br \/>\n&lt;\/system.net&gt;<br \/>\n&lt;\/configuration&gt;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Certificate Issuance Fails After requesting a certificate, the request immediately fails with the error: Failed to post CSR with error: Unknown certificate profile type. I think it is just a coincidence, but wanted to document the scenario in case it comes up again. The application makes web calls to a vendor API to issue certs. &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[2170,2169],"class_list":["post-11988","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-net","tag-venefi"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11988"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11988\/revisions"}],"predecessor-version":[{"id":11989,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11988\/revisions\/11989"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}