| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 87 (0x57) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_BAD_DEFAULT_CA_XCHG_CSP |
| Event text (English): | Active Directory Certificate Services could not use the default provider for encryption keys. %1 |
| Event text (German): | Active Directory certificate services could not use the default encryption key provider. %1 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: ErrorCode (win:UnicodeString)
Example events
Active Directory Certificate Services could not use the default provider for encryption keys. Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
This event can occur if the certificate authority cannot process the value configured under the EncryptionCsp registry value, for example, if a hardware security module (HSM) is used and no keys can be generated.
The value is located under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-CA}\EncryptionCSP
It is set to the same value as for the certification authority certificate during the installation of the certification authority.
It is used to generate the key pairs for the Certificate Authority Exchange (CA Exchange) certificates. The CA Exchange certificates are used for archiving private keys, but also for the Enterprise PKI (pkiview.msc) management console.
In general, a software key storage provider can be safely used for the certification authority exchange certificates. This can be configured with the following command line command:
certutil -setreg CA\EncryptionCSP\Provider "Microsoft Software Key Storage Provider".
Afterwards, the certification authority service must be restarted for the changes to be accepted.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
No description has been written for this yet.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
External sources
- Event ID 87 - AD CS Key Archival and Recovery (Microsoft)
- Securing Public Key Infrastructure (PKI) (Microsoft)
English 
Deutsch
One thought on “Details zum Ereignis mit ID 87 der Quelle Microsoft-Windows-CertificationAuthority”
Comments are closed.