Collection Rule for event with source CertificationAuthority and ID 99

Microsoft.Windows.CertificateServices.CARole.2008.CertSvcEvents.99 (Rule)

Certificate Services could not create a cross certificate.

Knowledge Base article:

Summary

When a root certification authority (CA) certificate is renewed, both the original root certificate and the renewed root certificate continue to be important in the public key hierarchy. The original root CA certificate remains the ultimate foundation of trust for the hierarchy and helps to validate the certificate chains for all certificates that have been issued under the original hierarchy. The renewed root CA certificate provides the foundation of trust for all certificates that are issued in the hierarchy from the renewal date forward.

To support these scenarios, a pair of cross-CA certificates are also created to establish the trust relationship between the original and renewed root certificate:

The first cross-certificate verifies that the original root CA certificate trusts the renewed CA certificate.
The second cross-certificate verifies that the renewed CA certificate trusts the original root certificate.

Stand-alone CAs generate self-signed cross-certificates when CA keys are changed. A cross-certificate is generated for each key transition, for the period where the lifetime of each root certificate overlap.

Resolutions

Create a missing cross-CA certificate

When a root certification authority (CA) certificate is renewed with a new key, the CA automatically generates cross-certificates between the old and new CA certificates. If a cryptographic failure occurred while the cross-certificate was being signed, you may be able to resolve the issue by correcting the extension conflict. Otherwise, enable CryptoAPI 2.0 Diagnostics to gather additional troubleshooting information.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Resolve an extension conflict

To resolve an extension conflict:

Click Start, type mmc, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
Click Computer account, and then click Next.
Select the computer hosting the CA, click Finish, and then click OK.
Click the Details tab, and click Show: Extensions only.
Double-click the previous CA certificate, and view the configured extensions for this certificate.
Compare the extensions in the latest CA certificate to the extensions in the previous CA certificate.
Correct any mismatch between extensions by reconfiguring the certificate request and submitting a new certificate request.

Note: For information about configuring a custom certificate request, see "Advanced Certificate Enrollment and Management" ( http://go.microsoft.com/fwlink/?LinkID=74577).

Enable CryptoAPI 2.0 Diagnostics

To enable CryptoAPI 2.0 Diagnostics:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.
In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
Right-click Operational, and click Enable Log.
Click Start, point to Administrative Tools, and click Services.
Right-click Active Directory Certificate Services, and click Restart.
Look for any CA certificate verification or chaining errors. Resolve any errors, and then restart the CA again.

If the extensions are correct and CA certificate verification and chaining are correct, the missing cross-CA certificates should be generated automatically when the CA restarts.

Additional

To verify that the certification authority (CA) is able to create a cross-certificate to certify its own certificate during CA certificate renewal:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
In the console tree, click the name of the CA.
On the Action menu, point to All Tasks, and click Renew CA Certificate to start the Certificate Renewal Wizard.
Open the Certificates snap-in on the computer, and double-click the CA certificate.
Click the Details tab, and click Show: Extensions only.
Double-click the previous CA certificate, and view the configured extensions for this certificate.
Compare the extensions in the latest CA certificate to the extensions in the previous CA certificate to confirm that they match.

Element properties:

Target

Microsoft.Windows.CertificateServices.CARole.2008

Category

EventCollection

Enabled

True

Event_ID

Event Source

Microsoft-Windows-CertificationAuthority

Alert Generate

True

Alert Severity

Error

Alert Priority

High

Remotable

True

Alert Message

AD CS could not create a cross certificate

Event Description: {0}

Event Log

Application

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
Alert	WriteAction	System.Health.GenerateAlert	Default
WriteToCertSvcEvents	WriteAction	Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher	Default
WriteToDB	WriteAction	Microsoft.SystemCenter.CollectEvent	Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.2008.CertSvcEvents.99" Enabled="true" Target="CS!Microsoft.Windows.CertificateServices.CARole.2008" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">99</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-CertificationAuthority</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageIDace9b8c0fb8c4912995ba86dd441ae51"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>