A root CA certificate was added to the local enterprise root store.
Chain or path validation is the process by which end-entity (user or computer) certificates and all certification authority (CA) certificates are processed hierarchically until the certificate chain terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. Active Directory Certificate Services (AD CS) startup can fail if there are problems with availability, validity, and chain validation for the CA certificate.
Publish a root CA certificate to Active Directory Domain Services
If the certification authority (CA) was installed very recently, one instance of this error can be considered normal.
If this error persists, or if clients detect similar errors, you can publish the root certificate to Active Directory Domain Services (AD DS) manually.
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To publish a root CA certificate to AD DS:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -f -dspublish <CAcert.cer> RootCA and press ENTER.
The root CA certificate file can be found in %windir%\system32\certsrv\certenroll. Replace CAcert.cer with the name of the file containing the root CA certificate.
To confirm that the certification authority (CA) certificate and chain are valid:
On the computer hosting the CA, click Start, type mmc, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
Click Computer account, and click Next.
Click Finish, and then click OK.
In the console tree, click Certificates (Local Computer), and then click Personal.
Confirm that a CA certificate that has not expired exists in this store.
Right-click this certificate and select Export to launch the Certificate Export Wizard.
Export the certificate to a file named Cert.cer.
Type Start, cmd and press ENTER.
Type certutil -urlfetch -verify <cert.cer> and press ENTER.
If no validation, chain building, or revocation checking errors are reported, the chain is valid.
Target | Microsoft.Windows.CertificateServices.CARole.2016 |
Category | EventCollection |
Enabled | True |
Event_ID | 103 |
Event Source | Microsoft-Windows-CertificationAuthority |
Alert Generate | False |
Remotable | True |
Event Log | Application |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
WriteToCertSvcEvents | WriteAction | Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher | Default |
WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.103" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">103</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-CertificationAuthority</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>
</WriteActions>
</Rule>