Collection Rule for event with source CertificationAuthority and ID 95 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.95
  • Description:  Certificate Services could not start: security permissions have been corrupted.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles


Alert Details

Message Priority Severity
AD CS Registry Settings High Critical

Rule Knowledgebase


Active Directory Certificate Services (AD CS) records critical configuration settings in the registry and may not start or function properly if this information becomes corrupted or is deleted.

This rule does not contain any causes.

Fix certification authority security permissions

Information about essential security permissions is stored in the registry and is needed for a certification authority (CA) to function properly.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To resolve security permission problems:

  • Confirm that security descriptors have been corrupted.

  • If you have a backup of the registry, restore registry settings from the backup.

  • If you have a backup of the CA, you can restore the CA from the backup.

  • If the restore procedure fails, create a CA debug log and contact Microsoft Customer Service and Support. For more information, see

Confirm security descriptor corruption

To confirm that CA security descriptors have been corrupted:

  • Open a command prompt window.

  • Type certutil -getreg ca\security and press ENTER.

Restore CA registry settings

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To restore registry settings from a hive file:

  • On the computer hosting the CA, click Start, type regedit, and then press ENTER.

  • Select the keys in which you want to restore the hive.

  • On the File menu, click Import, and then select the drive, folder, or network computer and folder in which the hive is located.

  • In Files of type, click Registry Hive Files, and select the correct file name for the hive.

  • Click Open. When a message appears indicating that the hive has been successfully imported, click OK.

Restore a CA from a backup

Note: To complete this procedure, you need to have created a backup of your CA prior to the failure, including registry settings, private key and CA certificate, certificate database, and database log.

To restore a CA:

  • If you had to reinstall Windows, apply all current service packs and security updates before restoring the CA, and reinstall Active Directory Certificate Services (AD CS).

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Right-click the name of the CA, and click Stop.

  • Import the registry hive for the CA by using the previous procedure.

  • In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Restore CA.

  • When the Certification Authority Restore Wizard starts, click Next, and then click Private keyand CA certificate.

  • Click Certificate database and certificate database log.

  • Type the backup folder location, and then click Next.

  • Verify the backup settings. The Issued Log and Pending Requests settings should be displayed.

  • Click Finish, and then click Yes to restart AD CS.

Create a CA debug log

To create a debug log:

  • On the computer hosting the CA, click Start, type cmd and press ENTER.

  • Type certutil -setreg ca\debug 0xffffffe3 and press ENTER.

  • Click Start, point to Administrative Tools, and click Services.

  • Select the Active Directory Certificate Services service, and click Start.

  • When you have reproduced the issue, locate the certsrv.log file containing advanced diagnostic information in the %windir% directory.

  • When you have finished generating the diagnostics, open a command prompt window, type certutil -delreg ca\debug and press ENTER to disable debugging.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack

Downloads for Active Directory Certificate Services Management Pack