Share via


Event ID 97 — AD CS Certificate Request (Enrollment) Processing

Applies To: Windows Server 2008 R2

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Event Details

Product: Windows Operating System
ID: 97
Source: Microsoft-Windows-CertificationAuthority
Version: 6.1
Symbolic Name: MSG_CLAMPED_BY_CA_CERT
Message: Active Directory Certificate Services %1 will reduce the maximum lifetime of the issued certificate for request %2 because the lifetime of the CA certificate is shorter than the validity period set in the registry. Consider renewing the CA certificate or reducing the validity period in the registry.

Resolve

Submit a certificate request with an appropriate validity period

The validity period of any certificate issued by a certification authority (CA) must be shorter than the remaining validity period of the CA certificate. If a certificate is issued with a validity period that has been truncated from the value that was contained in the certificate template or the certificate request, it means that the validity period of the CA certificate did not permit the requested value to be used. To resolve these problems, you can:

  • Renew the CA certificate.
  • Check and, if necessary, correct the validity period for a certificate template.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Renew a CA certificate

To renew a CA certificate:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
  2. In the console tree, select the CA name.
  3. On the Action menu, point to All Tasks, and then click Renew CA.
  4. Click Yes to restart the CA.

After the CA certificate has been renewed, submit your certificate request again.

Check and correct the validity period for a certificate template

To check and correct the configured validity period for a certificate template:

  1. On the computer hosting the CA,  click Start, type certtmpl.msc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.  
  3. Right-click the template named in the event description, click Properties, and note the Validity period listed on the General tab.
  4. To compare this value to the value configured in the registry, at a command prompt, type **certutil -getreg ca\validity **and press ENTER. 
  5. Confirm that the registry validity period is greater than the certificate template validity period and that the expiration time of the CA certificate allows sufficient validity period to issue certificates based on the template. 

For information about changing the configured validity period, see article 254632 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=95694).

Verify

To perform this procedure, you must have permission to request a certificate.

To confirm that certificate request processing is working properly:

  1. Click Start, type certmgr.msc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the console tree, double-click Personal, and then click Certificates.
  4. On the Action menu, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard. 
  5. Use the wizard to create and submit a certificate request for any type of certificate that is available.
  6. Under Certificate Installation Results, confirm that the enrollment completes successfully and no errors are reported. You can also click Details to view additional information about the certificate.

AD CS Certificate Request (Enrollment) Processing

Active Directory Certificate Services