Troubleshooting an Enterprise PKI

  • Article

Applies To: Windows Server 2008 R2

Enterprise PKI is primarily a monitoring tool. As a monitoring tool, it may often be the first place that an administrator notices a problem or potential problem with the public key infrastructure (PKI). Therefore, it is important to understand how to find additional diagnostic and troubleshooting information in order to fix the problem promptly before it potentially becomes more serious.

If a warning or serious error is indicated on a server hosting a certification authority (CA) or Online Responder, you should examine the events logged in the Event Viewer on that computer for additional information that can help you diagnose and correct the problem.

For CA-related issues, such as problems connecting to a current certificate revocation list (CRL), use the Certification Authority snap-in to correct the problem.

For Online Responder–related issues, you can use the Online Responder snap-in to perform tasks such as correcting revocation configuration problems.

If Enterprise PKI indicates that one or more CA certificates are about to expire, use the Certificates snap-in to reissue or renew these certificates.

You can enable CryptoAPI 2.0 diagnostics to obtain more information about many PKI-related issues.

You must be a local administrator to complete this procedure.

To enable advanced CryptoAPI 2.0 diagnostics

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Event Viewer.

  2. Expand the Applications and Services Log, Microsoft, and Windows folders.

  3. Open the CAPI2 folder, right-click Operational, and click Enable Log.

  4. If there is data present in the log before you reproduce a problem, right-click Operational, and click Clear Log. This allows only the data relevant to the problem scenario to be collected from the saved log.

  5. Open the Services snap-in console, right-click Active Directory Certificate Services, and click Restart.

  6. After you have collected event data, save the log file by right-clicking Operational, clicking Save Events as, and typing a name for the event file. You can save the log file in the .evtx format (which can be opened through the Event Viewer) or in .xml format.

Note

The default maximum size for the event log is 1 MB. For CryptoAPI 2.0 diagnostics, the log can increase in size quickly and it is recommended to increase the maximum log size to at least 4 MB to capture relevant events. To increase the maximum log size, right-click Operational, and then click Properties. In the log properties, increase the maximum log size.

For more information about CryptoAPI 2.0 diagnostics, see Troubleshooting PKI Problems on Windows Vista (https://go.microsoft.com/fwlink/?LinkId=89570).

For more information about troubleshooting and resolving problems with CAs, CRLs, certificate access, and Online Responders, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?LinkId=89215).