Collection Rule for event with source CertificationAuthority and ID 51 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.2.CertSvcEvents.51
  • Description:  A certificate in the chain for the CA certificate has been revoked.
  • Target:  Certificate Service (2012)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
AD CS Certification Authority Certificate and Chain Validation High Critical

Rule Knowledgebase

Summary

Chain or path validation is the process by which end-entity (user or computer) certificates and all certification authority (CA) certificates are processed hierarchically until the certificate chain terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. Active Directory Certificate Services (AD CS) startup can fail if there are problems with availability, validity, and chain validation for the CA certificate.

Causes
This rule does not contain any causes.
Resolutions

Reissue certificates in the chain for a revoked CA certificate

Although it is not common for a certification authority (CA) certificate to be revoked. To resolve this situation:

  • Confirm that the CA certificate has been revoked.

  • Ask a CA administrator if the revocation was deliberate or unintended. If the certificate was revoked intentionally, then no further action is needed. 

  • If it was revoked unintentionall, the CA certificate and every certificate in the branch must be reissued through enrollment or autoenrollment.

  • If the problem persists, enable CryptoAPI 2.0 Diagnostics to identify and resolve additional errors that might be causing the problem.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm that a CA certificate has been revoked

To confirm that a CA certificate has been revoked:

  • Open a command prompt window.

  • Type certutil -urlfetch -verify<CAcert.cer> and press ENTER.

Replace CAcert.cer with the name of the CA certificate file.

To enroll for a CA certificate

To enroll for a CA certificate:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and then click Certification Authority.

  • Right-click the CA name, select All Tasks and click Request CA Certificate.

  • Select the request file and the name of the CA or computer hosting a parent CA to process the request and complete the enrollment.

  • After the CA certificate has been installed, you will have to reissue all certificates that had been issued using the revoked CA certificate.

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.

  • In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.

  • Right-click Operational, and click Enable Log.

  • Click Start, point to Administrative Tools, and click Services.

  • Right-click Active Directory Certificate Services, and click Restart.

  • Scan the CAPI2 diagnostics log for information that relates to this error.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED