Troubleshooting Key Archival and Recovery
Applies To: Windows Server 2008
This topic describes key archival and recovery problems and provides links to procedures for troubleshooting and resolution.
Key archival and recovery events and errors
Key archival and recovery problems can be identified by events and errors that are recorded in the application event log on the CA. Events and errors are recorded during CA startup if key recovery agent certificates are not valid or if the CA is not configured correctly to support key archival. Failed key archival requests are also recorded.
Key archival problems are experienced by domain members as failed certificate requests and error messages.
To troubleshoot specific events, use the links in the following table. To better understand the causes of key archival problems, you can also review the other sections in this topic.
| Event ID | Symbolic name | Description |
|---|---|---|
MSG_E_PROCESS_REQUEST_FAILED |
Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. |
|
MSG_DN_CERT_DENIED_WITH_INFO |
Active Directory Certificate Services denied request %1 because %2. The request was for %3. Additional information: %4 |
|
MSG_E_KRA_NOT_ADVANCED_SERVER |
Active Directory Certificate Services key archival is only supported on Enterprise and Datacenter editions of Windows Server. %1 |
|
MSG_E_TOO_FEW_VALID_KRA_CERTS |
Active Directory Certificate Services could only verify %1 of %2 key recovery certificates required to enable private key archival. Requests to archive private keys will not be accepted. |
|
MSG_E_LOADING_KRA_CERTS |
Active Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. %1 |
|
MSG_E_INVALID_KRA_CERT |
Active Directory Certificate Services will not use key recovery certificate %1 because it could not be verified for use as a Key Recovery Agent. %2 %3 |
|
MSG_E_CANNOT_LOAD_KRA_CERT |
Active Directory Certificate Services ignored key recovery certificate %1 because it could not be loaded. %2 %3 |
|
MSG_E_BAD_REGISTRY_CA_XCHG_CSP |
Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. %1 |
|
MSG_E_BAD_DEFAULT_CA_XCHG_CSP |
Active Directory Certificate Services could not use the default provider for encryption keys. %1 |
|
MSG_E_USE_DEFAULT_CA_XCHG_CSP |
Active Directory Certificate Services switched to the default provider for encryption keys. %1 |
|
MSG_E_CANNOT_CREATE_XCHG_CERT |
Active Directory Certificate Services could not create an encryption certificate. %1. %2. |
|
MSG_E_TOO_MANY_KRA_INVALID |
Active Directory Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted. |
|
MSG_W_EXPIRATION_KRA_CERT |
Key recovery certificate %1 is about to expire and will not be used after it has expiration. Contact your administrator to renew this certificate. %2 %3 |
Causes of key archival and recovery problems
Key archival and recovery problems are caused by issues with the following:
CA configuration.
Key recovery agent certificate status.
Cryptographic service providers (CSP) that do not support key archival.
CA configuration
Key archival configuration includes several items. For procedures to implement key archival, see Implementing Key Archival.
The following configuration issues are common causes of key archival problems:
| Issue | Description | More information |
|---|---|---|
Key recovery agent certificates are not installed. |
Key recovery agent certificates are required for key archival and are loaded during CA startup. If none are installed, follow the procedures in Implementing Key Archival. |
|
Too few key recovery agent certificates. |
One or more key recovery agent certificates can be used to encrypt archived keys. The number of key recovery agent certificates required by the CA to encrypt an archived key is configurable, and must be equal to or less than the number of valid installed key recovery agent certificates. |
|
Incompatible CSP. |
The specified CSP must support digital signature and encryption operations. The default CSP is compatible with key archival. |
Key recovery agent certificate status
Key recovery agent certificate status depends on the results of certificate chain validation and revocation status checking, which are performed on key recovery agent certificates during CA startup. Certificate chain validation depends on the availability of all CA certificates in the certificate chain. Certificates that are not present in the computer's certificate cache are retrieved from remote servers. Certificate revocation status depends on the availability of revocation data from certificate revocation lists (CRL) or online certificate status protocol (OCSP) servers.
Network conditions or other issues that prevent retrieval of CA certificates or CRLs can cause certificate validation to fail. If a key recovery agent certificate or another certificate in its certificate chain has been revoked or has expired, the key recovery agent certificate is not valid for key archival and recovery operations.
Use the Key Recovery Agents tab on the CA properties sheet to verify the status of key recovery agent certificates.
Review the event logs on the CA to find key recovery agent certificate validation errors or certificate request failures. Use the events and errors table in the previous section to find troubleshooting procedures for specific errors.
CSP support for key archival operations
In order to securely transmit and archive private keys, CSPs on CAs and domain member computers must support symmetric and asymmetric encryption. Additionally, support is required for generating exportable keys, either by manually submitting a certificate request and selecting the option to allow the key to be exported or by using the CRYPT_ARCHIVABLE flag with the CryptGenKey function during programmatic key generation.
Key archival errors during certificate enrollment
When a CA cannot perform key archival operations, certificate and key archival requests are denied by the CA, and domain members receive error messages indicating a failure.
When using the Certificates snap-in and Certificate Enrollment wizard to submit a certificate and key archival request, the following error message is displayed if the request is denied:
The certificate request is incorrect. Cannot archive private key. The certification authority is not configured for key archival.
When using CA Web pages, the following error message is displayed if the request is denied:
Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.
The CA also records error event 21 in the application event log.