Collection Rule for event with source CertificationAuthority and ID 62 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.62
  • Description:  Certificate Services has reverted to default certificate revocation list (CRL) publication values.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Run As Profiles

Name
Default

Rule Knowledgebase

Summary

Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.

Causes
This rule does not contain any causes.
Resolutions

Configure AD CS to use user-specified CRL publication values

Active Directory Certificate Services (AD CS) is running but is using default certificate revocation list (CRL) publication period settings instead of the user-specified values. To fix this error:

  • Check and, if necessary, correct CRL publication settings.

  • If necessary, modify CRL registry keys.

Check and correct CRL publication settings

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To check and fix correct publication settings:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Right-click Revoked Certificates, and click Properties.

  • Note the listed CRL and delta CRL publication intervals.

  • If one of the settings is not valid, use the procedure "Modify CRL registry settings" to configure a valid setting.

To use the Certutil command-line tool to determine the configured CRL publication settings:

  • On the computer hosting the CA, click Start, type cmd and press ENTER.

  • Type certutil -getreg ca\crlperiod* and press ENTER, and then type certutil -getreg ca\crldeltaperiod* and press ENTER.

  • If one of these settings is not valid, use the following procedure to configure a valid setting.

Modify CRL registry keys

To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

To set valid registry keys:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  • On the computer hosting the CA, click Start, type regedit, and then press ENTER.

  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\ Configuration\CA name.

  • Enter valid registry values for CRLPeriod and CRLDeltaPeriod. Valid values are Years, Months, Weeks, Days, or Hours.

  • Enter valid registry values for CRLPeriodUnits and CRLDeltaPeriodUnits. Valid values are integers (1, 15, or 31, for example).

Note: The text CA name in the actual registry key will be replaced by the name of your CA.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED