| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 42 (0x2A) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_CA_CHAIN |
| Event text (English): | Could not build a certificate chain for CA certificate %3 for %1. %2. |
| Event text (German): | Could not create a certificate chain for the %3 certificate authority certificate for %1. %2. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: CACommonName (win:UnicodeString)
- %2: ErrorCode (win:UnicodeString)
- %3: CACertIdentifier (win:UnicodeString)
Example events
Could not build a certificate chain for CA certificate 2 for ADCS Labor Issuing CA 3. A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING).
Could not build a certificate chain for CA certificate 2 for ADCS Labor Issuing CA 3. The signature of the certificate cannot be verified. 0x80096004 (-2146869244 TRUST_E_CERT_SIGNATURE).
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
This event is logged when one of the certification authority's certificates is no longer recognized as trusted. This can have the following causes:
- The certificate chain cannot be completed (TRUST_E_CERT_SIGNATURE error code).
- The certificate chain can be completed, but the root certification authority is not trusted (error code CERT_E_CHAINING).
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
Typically, the current certification authority certificate should not be affected. Thus, the event usually has no impact on availability, as the certification authority service continues to operate as usual.
See also article "What impact does the revocation of the trust status of a root certification authority certificate have on the certification authority?„.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
English 
Deutsch