Collection Rule for event with source CertificationAuthority and ID 98 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.98
  • Description:  Certificate Services encountered an error loading key recovery agent certificates.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
AD CS Key Archival and Recovery High Critical

Rule Knowledgebase

Summary

Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.

Causes
This rule does not contain any causes.
Resolutions

Configure the correct number of key recovery agent certificates

Ensure that the correct number of valid key recovery agent certificates are available to the certification authority (CA). The number of key recovery agent certificates that are needed is set on the Recovery Agents tab in the Certification Authority snap-in.

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To identify specific problems with key recovery agent certificates:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Right-click the CA name, and click Properties.

  • Click the Recovery Agents tab.

  • Check the status column for the key recovery agent certificates. If one or more certificates is identified as Expired or Invalid, remove the expired or invalid key recovery agent certificates and enroll and assign new certificates.

  • If you do not find any problems with any of these certificates, export each certificate to a .cer file, open a command prompt window, and run the following command against each file to check validity and revocation status: certutil -verify and press ENTER.

  • As an alternative, if you have fewer valid key recovery agent certificates than are specified, you can also go to the Recovery Agents tab and reduce the number of key recovery agents that are needed.

For more information, see http://go.microsoft.com/fwlink/?LinkID=95698.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED