| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 128 (0x80) |
| Event log: | Application |
| Event type: | Warning |
| Symbolic Name: | MSG_W_REQUEST_CONTAINS_AKI |
| Event text (English): | An Authority Key Identifier was passed as part of the certificate request %1. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1" and then restart the service. |
| Event text (German): | A job key identifier was passed as part of the %1 certificate request. This feature is not enabled. To specify a certificate authority key for certificate signing, run the certutil -setreg ca\UseDefinedCACertInRequest 1 command and restart the service. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: RequestId (win:UnicodeString)
Example events
An Authority Key Identifier was passed as part of the certificate request 166131. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1" and then restart the service.
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
This event occurs when a certificate request includes an Authority Key Identifier (AKI) extension, but the certificate authority does not allow it.
The AKI extension is used for example by Online responder (OCSP) is used to sign the OCSP response signing certificate with a specific certificate authority key (if the certificate authority has multiple certificate authority certificates - the OCSP response signature must always be signed by the same key as the certificate to be checked for revocation status by Onlineresponder.
See also article "Allow requesting a specific signature key on a certification authority„.
See also Event no. 35 of the online responder.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
If the lifecycle process for certification authorities provides for renewal with a new key pair, an alert should be issued because the availability of the online responder's revocation configuration is affected and errors or undesirable behavior may occur during certificate revocation checks.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
English 
Deutsch
2 thoughts on “Details zum Ereignis mit ID 128 der Quelle Microsoft-Windows-CertificationAuthority”
Comments are closed.