Collection Rule for event with source CertificationAuthority and ID 10 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.10
  • Description:  Certificate Services cannot verify revocation status.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Causes
This rule does not contain any causes.
Resolutions

Correct problems that can prevent revocation checking

Revocation checking fails when every certificate in a chain cannot be verified. To fix this:

Confirm the certificates in the chain for the certification authority (CA).

Identify and correct resource problems that could be preventing revocation checking.

Enable CryptoAPI 2.0 Diagnostics to identify and resolve more advanced issues that can prevent revocation checking.

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm the certificate chain for the CA

To validate the chain for the CA:

Click Start, type mmc, and then press ENTER.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

Click Computer account, and click Next.

Select the computer hosting the CA, click Finish, and then click OK.

Select each CA certificate in the certificate chain.

On the Action menu, point to All Tasks, and click Export to start the Certificate Export Wizard. Save each certificate with a .cer extension.

Click Start, type cmd and press ENTER.

Type the following command for each CA certificate: certutil -urlfetch -verify<CAcert.cer> and press ENTER.

Run the same command again to check CRLs for the CA that was supposed to issue the certificate, as well as its chain.

Resolve any problems that are identified in the output from the command.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Identify and correct resource problems that can prevent revocation checking

To check that revocation checking is not prevented by a hardware problem:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Reliability and Performance Monitor to assess memory and disk usage on the CA. 

If necessary, increase Windows resources by adding physical memory, virtual memory, or physical storage.

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.

In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.

Right-click Operational, and click Enable Log.

Click Start, point to Administrative Tools, and click Services.

Right-click Active Directory Certificate Services, and click Restart.

For more information about certificate revocation and status checking, see http://go.microsoft.com/fwlink/?LinkID=124408.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED