Event ID 64 — AD CS Certification Authority Certificate and Chain Validation

Applies To: Windows Server 2008

Chain or path validation is the process by which end-entity (user or computer) certificates and all certification authority (CA) certificates are processed hierarchically until the certificate chain terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. Active Directory Certificate Services (AD CS) startup can fail if there are problems with availability, validity, and chain validation for the CA certificate.

Event Details

Product: Windows Operating System
ID: 64
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Version: 6.0
Symbolic Name: EVENT_CERT_EXPIRING
Message: Certificate for %1 with Thumbprint %2 is about to expire or has already expired.

Resolve

Renew a CA certificate

A computer certificate on a managed computer, not a certification authority (CA), must be renewed when it passes 90 percent of its validity period or has expired. Because a successful renewal will generally be initiated before the certificate reaches 90 percent of its lifetime, this error indicates that there may be a problem automatically obtaining a new certificate via autoenrollment.

To perform this procedure, you must have membership in local Administrators or Users on the computer that logged the error, or you must have been delegated the appropriate authority.

To renew a CA certificate:

  1. Click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.** **
  4. Select the user or computer account that logged the error, and click Next.
  5. Click Finish, and then click OK
  6. In the console tree, click Certificates - Current User or Certificates (Local Computer), and then click Personal.
  7. In the console tree, double-click Certificates, double-click Personal, and then click Certificates.
  8. Locate the certificate with the thumbprint listed in the event log message.
  9. Right-click the certificate, and select one of the Renew Certificate options to start the Certificate Renewal Wizard and renew the CA certificate.

Verify

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To confirm that the certification authority (CA) certificate and chain are valid:

  1. On the computer hosting the CA, click Start, type mmc, and then press ENTER.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
  4. Click Computer account, and click Next.
  5. Click Finish, and then click OK.
  6. In the console tree, click Certificates (Local Computer), and then click Personal.
  7. Confirm that a CA certificate that has not expired exists in this store.
  8. Right-click this certificate and select Export to launch the Certificate Export Wizard.
  9. Export the certificate to a file named Cert.cer.
  10. Type Start, cmd and press ENTER.
  11. Type certutil -urlfetch -verify <cert.cer> and press ENTER.
  12. If no validation, chain building, or revocation checking errors are reported, the chain is valid.

AD CS Certification Authority Certificate and Chain Validation

Active Directory Certificate Services