Troubleshooting Key Archival and Recovery

Applies To: Windows Server 2008

This topic describes key archival and recovery problems and provides links to procedures for troubleshooting and resolution.

Key archival and recovery events and errors

Key archival and recovery problems can be identified by events and errors that are recorded in the application event log on the CA. Events and errors are recorded during CA startup if key recovery agent certificates are not valid or if the CA is not configured correctly to support key archival. Failed key archival requests are also recorded.

Key archival problems are experienced by domain members as failed certificate requests and error messages.

To troubleshoot specific events, use the links in the following table. To better understand the causes of key archival problems, you can also review the other sections in this topic.

Event ID Symbolic name Description

21

MSG_E_PROCESS_REQUEST_FAILED

Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3.

53

MSG_DN_CERT_DENIED_WITH_INFO

Active Directory Certificate Services denied request %1 because %2. The request was for %3. Additional information: %4

81

MSG_E_KRA_NOT_ADVANCED_SERVER

Active Directory Certificate Services key archival is only supported on Enterprise and Datacenter editions of Windows Server. %1

82

MSG_E_TOO_FEW_VALID_KRA_CERTS

Active Directory Certificate Services could only verify %1 of %2 key recovery certificates required to enable private key archival. Requests to archive private keys will not be accepted.

83

MSG_E_LOADING_KRA_CERTS

Active Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. %1

84

MSG_E_INVALID_KRA_CERT

Active Directory Certificate Services will not use key recovery certificate %1 because it could not be verified for use as a Key Recovery Agent. %2 %3

85

MSG_E_CANNOT_LOAD_KRA_CERT

Active Directory Certificate Services ignored key recovery certificate %1 because it could not be loaded. %2 %3

86

MSG_E_BAD_REGISTRY_CA_XCHG_CSP

Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. %1

87

MSG_E_BAD_DEFAULT_CA_XCHG_CSP

Active Directory Certificate Services could not use the default provider for encryption keys. %1

88

MSG_E_USE_DEFAULT_CA_XCHG_CSP

Active Directory Certificate Services switched to the default provider for encryption keys. %1

96

MSG_E_CANNOT_CREATE_XCHG_CERT

Active Directory Certificate Services could not create an encryption certificate. %1. %2.

98

MSG_E_TOO_MANY_KRA_INVALID

Active Directory Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted.

127

MSG_W_EXPIRATION_KRA_CERT

Key recovery certificate %1 is about to expire and will not be used after it has expiration. Contact your administrator to renew this certificate. %2 %3

Causes of key archival and recovery problems

Key archival and recovery problems are caused by issues with the following:

  • CA configuration.

  • Key recovery agent certificate status.

  • Cryptographic service providers (CSP) that do not support key archival.

CA configuration

Key archival configuration includes several items. For procedures to implement key archival, see Implementing Key Archival.

The following configuration issues are common causes of key archival problems:

Issue Description More information

Key recovery agent certificates are not installed.

Key recovery agent certificates are required for key archival and are loaded during CA startup. If none are installed, follow the procedures in Implementing Key Archival.

Implementing Key Archival

Too few key recovery agent certificates.

One or more key recovery agent certificates can be used to encrypt archived keys. The number of key recovery agent certificates required by the CA to encrypt an archived key is configurable, and must be equal to or less than the number of valid installed key recovery agent certificates.

Event ID 82

Incompatible CSP.

The specified CSP must support digital signature and encryption operations. The default CSP is compatible with key archival.

Event ID 86

Key recovery agent certificate status

Key recovery agent certificate status depends on the results of certificate chain validation and revocation status checking, which are performed on key recovery agent certificates during CA startup. Certificate chain validation depends on the availability of all CA certificates in the certificate chain. Certificates that are not present in the computer's certificate cache are retrieved from remote servers. Certificate revocation status depends on the availability of revocation data from certificate revocation lists (CRL) or online certificate status protocol (OCSP) servers.

Network conditions or other issues that prevent retrieval of CA certificates or CRLs can cause certificate validation to fail. If a key recovery agent certificate or another certificate in its certificate chain has been revoked or has expired, the key recovery agent certificate is not valid for key archival and recovery operations.

Use the Key Recovery Agents tab on the CA properties sheet to verify the status of key recovery agent certificates.

Review the event logs on the CA to find key recovery agent certificate validation errors or certificate request failures. Use the events and errors table in the previous section to find troubleshooting procedures for specific errors.

CSP support for key archival operations

In order to securely transmit and archive private keys, CSPs on CAs and domain member computers must support symmetric and asymmetric encryption. Additionally, support is required for generating exportable keys, either by manually submitting a certificate request and selecting the option to allow the key to be exported or by using the CRYPT_ARCHIVABLE flag with the CryptGenKey function during programmatic key generation.

Key archival errors during certificate enrollment

When a CA cannot perform key archival operations, certificate and key archival requests are denied by the CA, and domain members receive error messages indicating a failure.

When using the Certificates snap-in and Certificate Enrollment wizard to submit a certificate and key archival request, the following error message is displayed if the request is denied:

The certificate request is incorrect. Cannot archive private key. The certification authority is not configured for key archival.

When using CA Web pages, the following error message is displayed if the request is denied:

Your request failed. An error occurred while the server was processing your request. Contact your administrator for further assistance.

The CA also records error event 21 in the application event log.