Collection Rule for event with source CertificationAuthority and ID 85 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.2.CertSvcEvents.85
  • Description:  Certificate Services could not use a key recovery agent certificate.
  • Target:  Certificate Service (2012)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.

Causes
This rule does not contain any causes.
Resolutions

Identify and use a valid key recovery agent certificate

To resolve this issue, you need to identify why the key recovery agent certificate that is being used is unsuccessful. Generally a key recovery agent certificate becomes unusable when it has expired or was revoked.

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To examine the validity of the key recovery agent certificate:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Right-click the certification authority (CA) name, and click Properties

  • Click the Recovery Agents tab, and check whether the key recovery agent certificate whose index is listed in the event log has Expired or is Invalid. To check its validity, confirm its validity dates and that it contains the extended key usage (EKU) extension indicating that this certificate can be used for key recovery.

  • If a certificate has expired or is not valid, remove the invalid key recovery agent certificate and assign a new one. You may need to issue a new key recovery agent certificate before it can be registered with the CA. 

For more information, see http://go.microsoft.com/fwlink/?LinkID=95698.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED