Collection Rule for event with source CertificationAuthority and ID 17

Summary

The certification authority (CA) database records all certificate transactions, including requests, the requester, and whether the request was granted or denied; information for the issued certificate, such as the private key, serial number, and expiration date; and information about revoked certificates. Problems initializing or accessing the CA database can prevent a CA from starting and functioning properly. This may happen as a result of corrupt or missing CA database files or of incorrect permissions on these files.

Resolutions

The error code included within the event string should offer more information about the specific problem.

Enable the connection between the CA and the certificates database

A certification authority (CA) needs to be able to connect to a certificates database file identified in the registry. To resolve this problem, confirm that the file identified in the registry exists, and if it does exist, that it has not been corrupted.

To perform this procedure, you must have local administrator permission, or you must have been delegated the appropriate authority.

To enable the connection between the certification authority (CA) and the certificates database:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

• On the computer hosting the CA, click Start, type regedit, and then press ENTER.

• Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration.

• Check the value data for the REG_SZ entries named DBLogDirectory, DBSystemDirectory, and DBTempDirectory. Then, confirm that the CA database files exist in these locations.

• At a command prompt, type Esentutl.exe /g <databasename> and press ENTER to check for database corruption.

  NOTE: the CA service must not be running for this command to work.

  Replace databasename with the name of the database listed in the registry settings. The database file name ends with a ".edb".

• If the database has been corrupted, at a command prompt, type Esentutl /r <databasename> and press ENTER to correct the problem.

• Restart Active Directory Certificate Services (AD CS).

• If the problem persists and you can reproduce the issue, use the following procedure, Create a CA debug log to obtain additional information.

Create a debug log

To create a debug log:

• On the computer hosting the CA, click Start, type cmd and press ENTER.

• Type certutil -setreg ca\debug 0xffffffe3 and press ENTER.

• Reproduce the issue.

• To disable logging: certutil -delreg ca\debug.

  You do not need to stop or restart the certsvc service when using these specific commands. Logging will be enabled or disabled immediately.

The %windir%\certsrv.log file contains advanced diagnostic information that may be useful if you need to contact Microsoft Customer Service and Support.

Additional

The certificate database must be available in order for the Active Directory Certificate Services (AD CS) service to start.

To perform this procedure, you must have membership in local Administrators on the computer hosting the certification authority (CA), or you must have been delegated the appropriate authority.

To confirm that the CA database connection has been enabled:

• On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

• Select the CA name and click Start to start the service.

• Check the Event log for any startup errors from source Microsoft-Windows-CertificationAuthority.

• If the CA service starts with no errors, the CA database connection has been enabled.