Event ID 10 — AD CS Certificate Request (Enrollment) Processing

  • Article

Applies To: Windows Server 2008

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Event Details

Product: Windows Operating System
ID: 10
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_E_CANNOT_BUILD_CERT_OR_CHAIN
Message: Active Directory Certificate Services was unable to build a new certificate or certificate chain: %1.

Resolve

Correct problems that can prevent revocation checking

Revocation checking fails when every certificate in a chain cannot be verified. To fix this:

  • Confirm the certificates in the chain for the certification authority (CA).
  • Identify and correct resource problems that could be preventing revocation checking.
  • Enable CryptoAPI 2.0 Diagnostics to identify and resolve more advanced issues that can prevent revocation checking.

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm the certificate chain for the CA

To validate the chain for the CA:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Click Computer account, and click Next.
  5. Select the computer hosting the CA, click Finish, and then click OK.
  6. Select each CA certificate in the certificate chain.
  7. On the Action menu, point to All Tasks, and click Export to start the Certificate Export Wizard. Save each certificate with a .cer extension.
  8. Click Start, type cmd and press ENTER.
  9. Type the following command for each CA certificate: certutil -urlfetch -verify<CAcert.cer> and press ENTER.
  10. Run the same command again to check CRLs for the CA that was supposed to issue the certificate, as well as its chain.
  11. Resolve any problems that are identified in the output from the command.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Identify and correct resource problems that can prevent revocation checking

To check that revocation checking is not prevented by a hardware problem:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Reliability and Performance Monitor to assess memory and disk usage on the CA. 
  2. If necessary, increase Windows resources by adding physical memory, virtual memory, or physical storage.

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.
  2. In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
  3. Right-click Operational, and click Enable Log.
  4. Click Start, point to Administrative Tools, and click Services.
  5. Right-click Active Directory Certificate Services, and click Restart.

For more information about certificate revocation and status checking, see https://go.microsoft.com/fwlink/?LinkID=71071.

Verify

To perform this procedure, you must have permission to request a certificate.

To confirm that certificate request processing is working properly:

  1. Click Start, type certmgr.msc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the console tree, double-click Personal, and then click Certificates.
  4. On the Action menu, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard. 
  5. Use the wizard to create and submit a certificate request for any type of certificate that is available.
  6. Under Certificate Installation Results, confirm that the enrollment completes successfully and no errors are reported. You can also click Details to view additional information about the certificate.

AD CS Certificate Request (Enrollment) Processing

Active Directory Certificate Services