| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 86 (0x56) |
| Event log: | Application |
| Event type: | Warning |
| Symbolic Name: | MSG_E_BAD_REGISTRY_CA_XCHG_CSP |
| Event text (English): | Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. %1 |
| Event text (German): | Active Directory certificate services could not use the encryption key provider specified in the registry. %1 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: ErrorCode (win:UnicodeString)
Example events
Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. The keyset is not defined. 0x80090019 (-2146893799 NTE_KEYSET_NOT_DEF)
Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
This event can occur if the certificate authority cannot process the value configured under the EncryptionCsp registry value, for example, if a hardware security module (HSM) is used and no keys can be generated.
The error code NTE_BAD_KEYSET is an indication of a SafeNet Luna Hardware Security Module (HSM).
The value is located under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-CA}\EncryptionCSP
It is set to the same value as for the certification authority certificate during the installation of the certification authority.
It is used to generate the key pairs for the Certificate Authority Exchange (CA Exchange) certificates. The CA Exchange certificates are used for archiving private keys, but also for the Enterprise PKI (pkiview.msc) management console.
In general, a software key storage provider can be safely used for the certification authority exchange certificates. This can be configured with the following command line command:
certutil -setreg CA\EncryptionCSP\Provider "Microsoft Software Key Storage Provider".
Afterwards, the certification authority service must be restarted for the changes to be accepted.
See also Event 87 and 88 and articles "The partition of the Hardware Security Module (HSM) runs full„.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
No description has been written for this yet.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
External sources
- Event ID 86 - AD CS Key Archival and Recovery (Microsoft)
- Securing Public Key Infrastructure (PKI) (Microsoft)
English 
Deutsch
6 thoughts on “Details zum Ereignis mit ID 86 der Quelle Microsoft-Windows-CertificationAuthority”
Comments are closed.