AD CS failed to create a certificate or CRL containing Unicode characters
When issuing a certificate or certificate revocation list (CRL), the certification authority (CA) must place information into the various fields and extensions of the certificate or CRL. This information can come from the certificate request, the CA configuration, or Active Directory. The information for the authority information access (AIA) and CRL distribution point (CDP) certificate extensions and the issuing distribution point (IDP) and "freshest CRL" CRL extensions may contain host names. If the CA encounters a host name that contains Unicode characters, it cannot add the name to the certificate or CRL, and it will stop issuing certificates or CRLs.
Verify extension settings do not contain non-ascii characters
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
In the console tree, right-click the name of the CA.
On the Action menu, click Properties.
Click the Extensions tab.
For each CRL Distribution Point (CDP) and Authority Information Access (AIA) location listed in the list box, check for any variables, such as ServerDNSName, that may contain non-ascii characters. Update any configured extensions, or the Active Directory information they represent, to remove these characters.
Target | Microsoft.Windows.CertificateServices.CARole.2008 | ||
Category | EventCollection | ||
Enabled | True | ||
Event_ID | 133 | ||
Event Source | Microsoft-Windows-CertificationAuthority | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | High | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Application |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
WriteToCertSvcEvents | WriteAction | Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher | Default |
WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
<Rule ID="Microsoft.Windows.CertificateServices.CARole.2008.CertSvcEvents.133" Enabled="true" Target="CS!Microsoft.Windows.CertificateServices.CARole.2008" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">133</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>2</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="AlertMessageID0c6a52ff514b44449c12f7d8c7892901"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>