Microsoft CA issues

nmpuk 21 Reputation points
2021-03-03T01:22:39.013+00:00

I have a test environment with an offline root CA, and a member server as a SubCA \ issuing CA.

During installation of the issuing CA, the original Issuing CA cert was revoked and a new cert issued. The revoked cert shows correctly as revoked in the properties of the CA, and the replacement shows as well.

Having checked the certsrv website, the correct (valid) cert is showing in the site properties so don't think that the old cert is being used anywhere.

However, I'm seeing a few issues. On server restart, the following error is logged in the event log. I cannot understand find why this is an issue. Any thoughts?

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 09/11/2020 15:39:51
Event ID: 51
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: app001.domain.eng
Description:
A certificate in the chain for CA certificate 0 for APP001-CA has been revoked. The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" />
<EventID>51</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-09T15:39:51.249248000Z" />
<EventRecordID>103898</EventRecordID>
<Correlation />
<Execution ProcessID="1784" ThreadID="1788" />
<Channel>Application</Channel>
<Computer>app001.domain.eng</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_CA_CERT_REVOKED">
<Data Name="CACommonName">APP001-CA</Data>
<Data Name="ErrorCode">The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)</Data>
<Data Name="CACertIdentifier">0</Data>
</EventData>
</Event>

Other issues I'm having include problems with permissions on templates, and issuing certs with private keys, but would like to rule the above out first.

Any suggestions welcome.

Thanks

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,760 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,111 Reputation points MVP
    2021-03-03T06:53:55.663+00:00

    On server restart, the following error is logged in the event log. I cannot understand find why this is an issue. Any thoughts?

    it is expected behavior and requires no actions from your side. You safely can ignore it. On service start, CA checks all its certificates for validity and found that previous is revoked. Since you have new certificate you can ignore this event message.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Fan Fan 15,306 Reputation points Microsoft Vendor
    2021-03-03T02:14:06.513+00:00

    Hi,

    Before going further, i would recommend you publish the new CRL to AD and other locations.
    Then open the pkiview on the issue CA and check if there are any errors.

    Best Regards,


  2. nmpuk 21 Reputation points
    2021-03-04T01:01:49.333+00:00

    Thank you for that, thats very helpful. I'm having some issues with permissions on templates, which brought this up. This was previously working but recently attempted to request a certificate and getting errors relating to permission errors on certificate templates, as below.

    No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occured while accessing the Active Directory

    Permissions are delegated through a group for read and enrol on certificate templates, and 'Issue & Manage certificates' and 'Request certificates' on the Issuing CA.

    I don't see any other relevent errors on the logs but users in this delegated group simply cannot submit a request on the http://server/certsrv/en-us portal with the above error message.

    Enterprise admins can submit new requests when tested.

    Permissions on IIS is configured for Windows Authentication only, and the app pool for CertSrv is configured for NetworkService.

    Thoughts?