Details of the event with ID 87 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:87 (0x57)
Event log:Application
Event type:Error
Symbolic Name:MSG_E_BAD_DEFAULT_CA_XCHG_CSP
Event text (English):Active Directory Certificate Services could not use the default provider for encryption keys. %1
Event text (German):Active Directory certificate services could not use the default encryption key provider. %1

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: ErrorCode (win:UnicodeString)

Example events

Active Directory Certificate Services could not use the default provider for encryption keys. Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)

Description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

This event can occur if the certificate authority cannot process the value configured under the EncryptionCsp registry value, for example, if a hardware security module (HSM) is used and no keys can be generated.

The value is located under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-CA}\EncryptionCSP

It is set to the same value as for the certification authority certificate during the installation of the certification authority.

It is used to generate the key pairs for the Certificate Authority Exchange (CA Exchange) certificates. The CA Exchange certificates are used for archiving private keys, but also for the Enterprise PKI (pkiview.msc) management console.

In general, a software key storage provider can be safely used for the certification authority exchange certificates. This can be configured with the following command line command:

certutil -setreg CA\EncryptionCSP\Provider "Microsoft Software Key Storage Provider".

Afterwards, the certification authority service must be restarted for the changes to be accepted.

See also Event 86 and 88.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

No description has been written for this yet.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".

Related links:

External sources

One thought on “Details zum Ereignis mit ID 87 der Quelle Microsoft-Windows-CertificationAuthority”

Comments are closed.

en_USEnglish