AD CS Key Archival and Recovery

Applies To: Windows Server 2008

Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.

Events

Event ID Source Message

81

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services key archival is only supported on Enterprise and Datacenter editions of Windows Server. %1

82

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services could only verify %1 of %2 key recovery certificates required to enable private key archival. Requests to archive private keys will not be accepted.

83

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. %1

84

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services will not use key recovery certificate %1 because it could not be verified for use as a Key Recovery Agent. %2 %3

85

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services ignored key recovery certificate %1 because it could not be loaded. %2 %3

86

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. %1

87

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services could not use the default provider for encryption keys. %1

88

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services switched to the default provider for encryption keys. %1

96

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services could not create an encryption certificate. %1. %2.

98

Microsoft-Windows-CertificationAuthority

Active Directory Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted.

127

Microsoft-Windows-CertificationAuthority

Key recovery certificate %1 is about to expire and will not be used after it has expiration. Contact your adminstrator to renew this certificate. %2 %3

AD CS Certification Authority (CA)

Active Directory Certificate Services