Certificate thumbprint displayed in MMC certificate snap-in has extra invisible unicode character


Symptoms


If you try and copy and paste thumbprint from this snap-in, an extra (invisible) unicode character is being copied also. This can lead to problems that are non-obvious. For example, copy and paste thumbprint into notepad. It appears that thumbprint is copied correctly, but if you try to save document, it reports that the document contains unicode characters.

If you try to copy paste this thumbprint into an application that asks for a certificate thumbprint, this can lead to errors where the invisible unicode character is unknowingly included. For example, there is a scenario in virtual machine manager that asks for a certificate thumbprint. Copy/pasting from this snap-in will lead to a non-obvious failure due to included unicode character.

One of the applications affected with this case is SQL Server when the certificate is needed for SSL Encrytopn of SSL connections. If simply copying the thumbpint from the certificate GUI and pasting it in  with the invisible character, SQL Server fails to start.

Cause


This is caused by an issue in Richedit control which is used for the Certificate UI.

Resolution


The following workarounds can be used:

1. Instead of using certificates snap-in and certificate GUI, use certutil command line tool:
- "certutil -store -user my" for the user certificates or,
- "certutil -store my" for the machine certificates.

The thumbprint can be located in the line that starts with "Cert Hash(sha1)"

Cert Hash(sha1): e8 12 4b 42 c4 04 fd ca 8c ec 21 f1 91 76 5c b7 c3 ad 1d 55

 2. When using certificates snap-in and certificate GUI, do NOT copy "extra space" that appears before the certificate thumbpint from the Richedit control.