| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 97 (0x61) |
| Event log: | Application |
| Event type: | Warning |
| Symbolic Name: | MSG_CLAMPED_BY_CA_CERT |
| Event text (English): | Active Directory Certificate Services %1 will reduce the maximum lifetime of the issued certificate for request %2 because the CA certificate lifetime is shorter than the registry validity period. Consider renewing the CA certificate or reducing the registry validity period. |
| Event text (German): | From Active Directory Certificate Services %1, the maximum validity period of the issued certificate for request %2 is reduced because the validity period of the certificate authority certificate is shorter than the registration validity period. You should renew the certification authority certificate or shorten the registration validity period. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: CACommonName (win:UnicodeString)
- %2: RequestId (win:UnicodeString)
Example events
Active Directory Certificate Services Fabrikam Issuing CA 1 will reduce the maximum lifetime of the issued certificate for request 12345 because the CA certificate lifetime is shorter than the registry validity period. Consider renewing the CA certificate or reducing the registry validity period.
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
This event occurs when an issued certificate can no longer reach the full configured validity period, as it is limited by the expiration date of the certification authority certificate.
The Microsoft Certification Authority is implemented according to the shell model, i.e. no issued certificate can be valid longer than the parent Certification Authority certificate.
This event can thus be an indication that the certification authority certificate urgently needs to be renewed or the existing certificate templates need to be migrated to a new certification authority with a longer validity period.
The event occurs regardless of the certificate validity configured in the certificate template. It is triggered when the value configured in the certificate authority registry ("ValidityPeriod" and "ValidityPeriodUnits") exceeds the remaining validity period. Thus, the result occurs even if there is no problem yet for the specific certificate template.
The event occurs only when the Logging level has been set to 4 (CERTLOG_VERBOSE) or higher for the event log of the relevant certification authority.
The event has also already been identified as a false alarm in correlation to Event with ID 77 of the source Microsoft-Windows-CertificationAuthority sighted.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
In the long term, there is a risk that no new certificates can be issued. Availability is therefore threatened.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
English 
Deutsch
2 thoughts on “Details zum Ereignis mit ID 97 der Quelle Microsoft-Windows-CertificationAuthority”
Comments are closed.