Details of the event with ID 96 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:96 (0x60)
Event log:Application
Event type:Error
Symbolic Name:MSG_E_CANNOT_CREATE_XCHG_CERT
Event text (English):Active Directory Certificate Services could not create an encryption certificate. %1. %2.
Event text (German):No encryption certificate could be created by Active Directory Certificate Services. %1. %2.

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: Disposition (win:UnicodeString)
  • %2: ErrorCode (win:UnicodeString)

Example events

Active Directory Certificate Services could not create an encryption certificate. Requested by INTRA\Administrator. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).
Active Directory Certificate Services could not create an encryption certificate. Requested by INTRA\Administrator. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495 CERT_E_EXPIRED).
Active Directory Certificate Services could not create an encryption certificate.  Requested by INTRA\Administrator.  The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).
Active Directory Certificate Services could not create an encryption certificate. Requested by INTRA\rudi Invalid Application Policies: 1.3.6.1.4.1.311.21.5. The certificate has invalid policy. 0x800b0113 (-2146762477 CERT_E_INVALID_POLICY).

Description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Occurs when the certificate authority cannot issue a Certificate Authority Exchange (CA Exchange) certificate. In most cases, this indicates a problem with the certification authority.

Error code CERT_E_INVALID_POLICY

Please note that the creation of a certificate authority exchange certificate can be requested by any authenticated user on the network. For example, the Enterprise PKI (pkiview.msc) management console requests such a certificate to map the certificate authority hierarchy.

Therefore, the Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates always include the "Private Key Archival" Extended Key Usage in the list of allowed EKUs for the certification authority certificate so that the certificates for the certification authority exchange can be issued correctly.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

The event may be an indication that the availability of the certification authority service is or will soon be impaired. Therefore, an alert should be triggered.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".

Related links:

External sources

2 thoughts on “Details zum Ereignis mit ID 96 der Quelle Microsoft-Windows-CertificationAuthority”

Comments are closed.

en_USEnglish