Event ID 102 — AD CS Cross-Certification

Applies To: Windows Server 2008

When a root certification authority (CA) certificate is renewed, both the original root certificate and the renewed root certificate continue to be important in the public key hierarchy. The original root CA certificate remains the ultimate foundation of trust for the hierarchy and helps to validate the certificate chains for all certificates that have been issued under the original hierarchy. The renewed root CA certificate provides the foundation of trust for all certificates that are issued in the hierarchy from the renewal date forward.

To support these scenarios, a pair of cross-CA certificates are also created to establish the trust relationship between the original and renewed root certificate:

  • The first cross-certificate verifies that the original root CA certificate trusts the renewed CA certificate.
  • The second cross-certificate verifies that the renewed CA certificate trusts the original root certificate.

Stand-alone CAs generate self-signed cross-certificates when CA keys are changed. A cross-certificate is generated for each key transition, for the period where the lifetime of each root certificate overlap.

Event Details

Product: Windows Operating System
ID: 102
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_E_CROSS_CERT_EXTENSION_CONFLICT
Message: Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. The %2 extension is inconsistent. %3. %4.

Resolve

Create a missing cross-CA certificate

When a root certification authority (CA) certificate is renewed with a new key, the CA automatically generates cross-certificates between the old and new CA certificates. If a cryptographic failure occurred while the cross-certificate was being signed, you may be able to resolve the issue by correcting the extension conflict. Otherwise, enable CryptoAPI 2.0 Diagnostics to gather additional troubleshooting information.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Resolve an extension conflict

To resolve an extension conflict:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Click Computer account, and then click Next.
  5. Select the computer hosting the CA, click Finish, and then click OK.
  6. Click the Details tab, and click Show: Extensions only.
  7. Double-click the previous CA certificate, and view the configured extensions for this certificate.
  8. Compare the extensions in the latest CA certificate to the extensions in the previous CA certificate.
  9. Correct any mismatch between extensions by reconfiguring the certificate request and submitting a new certificate request.

Note: For information about configuring a custom certificate request, see "Advanced Certificate Enrollment and Management" (https://go.microsoft.com/fwlink/?LinkID=74577).

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.
  2. In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
  3. Right-click Operational, and click Enable Log.
  4. Click Start, point to Administrative Tools, and click Services.
  5. Right-click Active Directory Certificate Services, and click Restart.
  6. Look for any CA certificate verification or chaining errors. Resolve any errors, and then restart the CA again. 

If the the extensions are correct and CA certificate verification and chaining are correct, the missing cross-CA certificates should be generated automatically when the CA restarts.

Verify

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To verify that the certification authority (CA) is able to create a cross-certificate to certify its own certificate during CA certificate renewal:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
  2. In the console tree, click the name of the CA.
  3. On the Action menu, point to All Tasks, and click Renew CA Certificate to start the Certificate Renewal Wizard.
  4. Open the Certificates snap-in on the computer, and double-click the CA certificate.
  5. Click the Details tab, and click Show: Extensions only.
  6. Double-click the previous CA certificate, and view the configured extensions for this certificate.
  7. Compare the extensions in the latest CA certificate to the extensions in the previous CA certificate to confirm that they match.

AD CS Cross-Certification

Active Directory Certificate Services