Collection Rule for event with source CertificationAuthority and ID 48 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.2.CertSvcEvents.48
  • Description:  Revocation cannot be checked
  • Target:  Certificate Service (2012)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
AD CS Certification Authority Certificate and Chain Validation High Critical

Rule Knowledgebase

Summary

Chain or path validation is the process by which end-entity (user or computer) certificates and all certification authority (CA) certificates are processed hierarchically until the certificate chain terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. Active Directory Certificate Services (AD CS) startup can fail if there are problems with availability, validity, and chain validation for the CA certificate.

Causes
This rule does not contain any causes.
Resolutions

Load and confirm a valid CA certificate and chain

You need to confirm that a valid certification authority (CA) certificate is accessible in order for certificate chain validation to take place. You can resolve problems associated with locating a valid CA certificate by confirming that:

  • A valid CA certificate is available on the computer hosting the CA.

  • A valid CA certificate exists in the AIA container.

  • The CA certificate chain can be validated.

  • If a certificate revocation list (CRL) for a CA in the chain has expired, a new CRL is generated.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm that a valid CA certificate exists on the computer hosting the CA

To confirm that a valid CA certificate is available on the computer hosting the CA:

  • Click Start, type mmc, and then press ENTER.

  • If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  • On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  • Click Computer account, and click Next.

  • Click Finish, and then click OK.

  • In the console tree, click Certificates (Local Computer), and then click Personal.

  • Confirm that a CA certificate that has not expired exists in this store. 

Confirm that a valid CA certificate exists in the AIA container

To confirm that a valid CA certificate exists in the AIA container:

  • Click Start, point to Administrative Tools, and click Active Directory Sites and Services.

  • Click Active Directory Sites and Services [domainname].

  • On the View menu, click Show Services Node.

  • Double-click Services, double-click Public Key Services, and click AIA.

  • Confirm that a CA certificate that has not expired exists in the AIA container.

Validate the CA certificate chain

To validate a CA certificate chain:

  • Open a command prompt window.

  • Type certutil -urlfetch -verify on the CA certificate, and press ENTER.

  • Confirm that the AIA container and CRL distribution point network locations are available, that all certificates in the chain are valid and not revoked, and that valid CRLs are available.

  • If the AIA or CRL distribution point locations are not available, identify and resolve the problem that is preventing them from being accessed.

  • If any certificates in the chain have expired or been revoked, renew these certificates. If a CA certificate needs to be reissued, all certificates under this certificate in the chain will need to be reissued.

  • If a CRL for a CA in the chain has expired, generate new base and delta CRLs on this CA and copy them to the required locations.

  • If the CA is offline, you may need to restart it.

Check and publish CRLs

To check and, if necessary, publish new CRLs:

  • On the CA that is the source of the problem, check the current published CRL, which by default is created in the folder %windir%\System32\CertSrv\CertEnroll.

  • If the CRLs currently in this location have expired or are invalid, open a command prompt window, type certutil -CRL and press ENTER to publish a new CRL.

To generate new base and delta CRLs:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and select Certification Authority.

  • In the console tree, click Revoked Certificates.

  • On the Action menu, point to All Tasks, and click Publish. 

  • Select New CRL to overwrite the previously published CRL, or select Delta CRL only to publish a current delta CRL.

To create a CRL by using the Certutil command-line tool:

  • On the computer hosting the CA, click Start, type cmd and press ENTER.

  • Type certutil -CRL and press ENTER.

To publish CRLs to AD DS by using the Certutil command-line tool:

  • Open a command prompt window.

  • Type certutil -dspublish "<crlname.crl>" ldap:///CN=<CA name>,CN=<CA hostname>,CN=CDP,CN=Public Key Services,CN=Ser vices,CN=Configuration,DC=<contoso>,DC=<com>?certificateRevocationList?base?objectClass=cRLDistributionPoint and press ENTER.

Replace crlname.crl with the name of your CRL file, CA name and CA hostname with your CA name and the name of the host on which that CA runs, and contoso and com with the namespace of your Active Directory domain.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED