Event ID 58 — AD CS Certification Authority Certificate and Chain Validation

Applies To: Windows Server 2008

Chain or path validation is the process by which end-entity (user or computer) certificates and all certification authority (CA) certificates are processed hierarchically until the certificate chain terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. Active Directory Certificate Services (AD CS) startup can fail if there are problems with availability, validity, and chain validation for the CA certificate.

Event Details

Resolve

Reissue certificates in the chain for an expired CA certificate

The certification authority (CA) certificate that has expired will be identified in the event log. To resolve this issue:

• Check whether the certificate has expired.
• Confirm the certificate chain.
• If the problem persists, enable CryptoAPI 2.0 Diagnostics, resolve any errors found, and then reissue and reinstall the expired certificates.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Check CA certificate expiration

To check whether a specific CA certificate has expired:

1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
2. Right-click the CA node, and click Properties.
3. Expired certificates will be listed with the word (expired) in the list of CA certificates. If all CA certificates are expired, you will have to renew the CA certificate and reissue any certificates below the expired CA certificate.
4. To renew the CA certificate, right-click the CA node, point to All Tasks, and click Renew CA Certificate.
5. After the CA certificate has been renewed, restart the CA.
6. If there are unexpired certificates in the list, find the certificate whose CA Version number matches the key ID in the error message. For example, if the key ID is 2, the certificate with CA Version 2.1 or 2.2 would be the correct certificate.
7. If this certificate has not expired, check for problems with the certificate chain. Export the certificate to a file, and then open a command prompt window, type certutil -urlfetch -verify<CAcert.cer> and press ENTER. (Replace CAcert.cer with the name of the certificate file.)

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.
2. In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
3. Right-click Operational, and click Enable Log.
4. Click Start, point to Administrative Tools, and click Services.
5. Right-click Active Directory Certificate Services, and click Restart.

Verify

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To confirm that the certification authority (CA) certificate and chain are valid:

1. On the computer hosting the CA, click Start, type mmc, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
4. Click Computer account, and click Next.
5. Click Finish, and then click OK.
6. In the console tree, click Certificates (Local Computer), and then click Personal.
7. Confirm that a CA certificate that has not expired exists in this store.
8. Right-click this certificate and select Export to launch the Certificate Export Wizard.
9. Export the certificate to a file named Cert.cer.
10. Type Start, cmd and press ENTER.
11. Type certutil -urlfetch -verify <cert.cer> and press ENTER.
12. If no validation, chain building, or revocation checking errors are reported, the chain is valid.

Related Management Information

AD CS Certification Authority Certificate and Chain Validation

Active Directory Certificate Services