Collection Rule for event with source CertificationAuthority and ID 3 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.3
  • Description:  Certificate Services failed to process a request.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
AD CS Certificate Request (Enrollment) Processing High Critical

Rule Knowledgebase

Summary

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Causes
This rule does not contain any causes.
Resolutions

Correct problems that prevent certificate requests from being processed

A number of problems can prevent a certificate request from being processed. If the event log message does not contain all the information you need to correct the problem, additional errors and warnings preceding or following this event log message can help you identify the cause. 

To identify and resolve problems that can block certificate request processing, you should:

  • Confirm the certificate chain for the certification authority (CA).

  • Generate and publish new certificate revocation lists (CRLs).

  • Confirm the configured CRL distribution points.

  • If these steps do not resolve the problem, check the failed requests queue on the CA for information about why the request failed.

To perform the following procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm the certificate chain for the CA

To validate the chain for the CA:

  • Click Start, type mmc, and then press ENTER.

  • If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  • On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  • Click Computer account, and click Next.

  • Select the computer hosting the CA, click Finish, and then click OK.

  • Select each CA certificate in the certificate chain, and click View Certificate.

  • Click the Details tab, and click Copy to File to start the Certificate Export Wizard. Save each certificate with a .cer extension.

  • Open a command prompt and run the following command on each CA certificate: certutil -urlfetch -verify <CAcert.cer> and then press ENTER. Replace <CAcert.cer> with the name of a CA certificate file that you saved in step 7.

  • Use the same command with a certificate file for an end-entity (user or computer) certificate issued by the CA to confirm CRLs for the CA itself as well as its chain.

  • Resolve any problems identified in the command line output.

Generate and publish new CRLs

If the command line output indicates that a CRL for a CA has expired, generate new base and delta CRLs on the CA and copy them to the required locations. You may need to restart an offline CA to do this.

On the CA, check the current published CRL. By default, the CA creates CRLs in the folder %windir%\System32\CertSrv\CertEnroll. If the CRLs currently in this location have expired or are invalid, you can use the following procedure to publish a new CRL.

To publish a new CRL by using the Certification Authority snap-in:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Select the CA, and expand the folders below the CA name.

  • Right-click the Revoked Certificates folder.

  • Click All Tasks, and then click Publish.

You can also generate and publish CRLs from a command prompt.

To publish a CRL by using the Certutil command-line tool:

  • On the computer hosting the CA, click Start, type cmd and press ENTER..

  • Type certutil -CRL and press ENTER. 

If a CRL is identified as unavailable but a valid CRL exists in the local directory on the CA, confirm that the CA can connect to the CRL distribution point, and then use the preceding steps to generate and publish CRLs again.

CRLs can be published manually to Active Directory Domain Services (AD DS) by using the following command:

certutil -dspublish"<crlname.crl>" ldap:///CN=<CA name>,CN=<CA hostname>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<contoso>,DC=<com>?certificateRevocationList?base?objectClass=cRLDistributionPoint

Replace crlname.crl with the name of your CRL file, <CA name> and <CA hostname> with your CA name and the name of the host on which that CA runs, and <contoso> and <com> with the namespace of your Active Directory domain.

Confirm configured CRL distribution points

Check all configured CRL distribution points to confirm that publication was successful and that new CRLs are available on the network.

To check the configured CRL distribution points by using the Certification Authority snap-in:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Right-click the name of the CA, and click Properties.

  • Click the Extensions tab.

  • Review the configured CRL distribution points to make sure the information is correct.

To check the configured CRL distribution point URLs by using Certutil:

  • Open a command prompt window on the CA. 

  • Type the following command: certutil -getreg ca\crlpublicationurls and press ENTER.

Check the failed requests queue on the CA

To check the failed requests queue on the CA by using the Certification Authority snap-in:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Click the Failed Requests folder.

  • Look for failed requests that were submitted at or near the time of the event, and check columns such as the Request Disposition Message, Request Status Code, and Requester Name for additional diagnostic information.

To check failed requests by using Certutil:

  • On the computer hosting the CA, click Start, type cmd and press ENTER.

  • Type certutil -view LogFail and press ENTER.

  • Type certutil -view -restrict requestID="<nnn>" and press ENTER. Replace <nnn> with the Request ID of one of the failed requests in the output of the LogFail command.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED