This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 44%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
I have a test environment with an offline root CA, and a member server as a SubCA \ issuing CA.
During installation of the issuing CA, the original Issuing CA cert was revoked and a new cert issued. The revoked cert shows correctly as revoked in the properties of the CA, and the replacement shows as well.
Having checked the certsrv website, the correct (valid) cert is showing in the site properties so don't think that the old cert is being used anywhere.
However, I'm seeing a few issues. On server restart, the following error is logged in the event log. I cannot understand find why this is an issue. Any thoughts?
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 09/11/2020 15:39:51
Event ID: 51
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: app001.domain.eng
Description:
A certificate in the chain for CA certificate 0 for APP001-CA has been revoked. The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" />
<EventID>51</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-09T15:39:51.249248000Z" />
<EventRecordID>103898</EventRecordID>
<Correlation />
<Execution ProcessID="1784" ThreadID="1788" />
<Channel>Application</Channel>
<Computer>app001.domain.eng</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_CA_CERT_REVOKED">
<Data Name="CACommonName">APP001-CA</Data>
<Data Name="ErrorCode">The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)</Data>
<Data Name="CACertIdentifier">0</Data>
</EventData>
</Event>
Other issues I'm having include problems with permissions on templates, and issuing certs with private keys, but would like to rule the above out first.
Any suggestions welcome.
Thanks
On server restart, the following error is logged in the event log. I cannot understand find why this is an issue. Any thoughts?
it is expected behavior and requires no actions from your side. You safely can ignore it. On service start, CA checks all its certificates for validity and found that previous is revoked. Since you have new certificate you can ignore this event message.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Before going further, i would recommend you publish the new CRL to AD and other locations.
Then open the pkiview on the issue CA and check if there are any errors.
Best Regards,
Thanks for that, to confirm, I have previously run PKIView, and overall status is OK with no errors. CRL's and Crts all present and correct.
Thank you for that, thats very helpful. I'm having some issues with permissions on templates, which brought this up. This was previously working but recently attempted to request a certificate and getting errors relating to permission errors on certificate templates, as below.
No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occured while accessing the Active Directory
Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA.
I don't see any other relevent errors on the logs but users in this delegated group simply cannot submit a request on the http://server/certsrv/en-us portal with the above error message.
Enterprise admins can submit new requests when tested.
Permissions on IIS is configured for Windows Authentication only, and the app pool for CertSrv is configured for NetworkService.
Thoughts?
Please start new thread for different question.