Collection Rule for event with source CertificationAuthority and ID 127 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.2.CertSvcEvents.127
  • Description:  Key recovery agent certificate is about to expire.
  • Target:  Certificate Service (2012)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.

Causes
This rule does not contain any causes.
Resolutions

Renew the key recovery agent certificate that is about to expire

Key recovery agent certificates that expire can no longer be used for key recovery. In order to continue using key archival, renew the key recovery agent certificate.

To perform this procedure, you must be the user who was enrolled for the key recovery agent certificate. 

To renew a key recovery agent certificate:

  • Click Start, type certmgr.msc, and press ENTER.

  • In the console tree, double-click Certificates, double-click Personal, and click Certificates.

  • Right-click the key recovery agent certificate, point to All Tasks, and click Renew Certificate with New Key or click Advanced Operations and Renew this certificate with the same key to start the Certificate Renewal Wizard.

  • Follow the steps in the wizard to renew the certificate. 

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority

  • In the console tree, click the name of the CA.

  • On the Action menu, click Properties.

  • Click the Recovery Agents tab, and then click Archive the key.

  • In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt the archived key. The number of recovery agents to use must be between one and the number of key recovery agent certificates that have been configured. Click Add.

  • In Key Recovery Agent Selection, click the key recovery certificates that are displayed, and click OK. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not loaded.

  • Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the certificates should be listed as Valid.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED