Collection Rule for event with source CertificationAuthority and ID 23

Summary

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Resolutions

Revise the certificate request so that it contains valid certificate input data

The certificate request specified in the event log message contains invalid field length data. The field length should be less than 127 bytes. To resolve this problem:

Submit a new certificate request with fields measuring less than 127 bytes for the field specified in the event log description.

To perform these procedures, you must have Enroll permissions for a certificate based on the certificate template.

Submit a certificate request

To submit a certificate request:

• Click Start, type mmc, and then press ENTER.

• If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

• On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

• Select the user or computer account, and click Next.

• Click Finish, and then click OK. 

• In the console tree, click Certificates - Current User or Certificates (Local Computer), and then click Personal.

• On the Action menu, point to All Tasks, and then click Request New Certificate to start the Certificate Enrollment Wizard. Click Next.

• Select the types of certificates that you want to request.

• You can click Details to review additional information about each certificate. If a caution symbol appears below the certificate, you might need to provide additional information before requesting that type of certificate. Click the More information is required to enroll for this certificate. Click here to configure message and provide the requested information, such as the location of a valid signing certificate.

• To finish, click Enroll.

Check on a pending certificate request

To check on a pending certificate request:

• Open Internet Explorer, and type the following: https://servername/certsrv, where servername is the name of the Web server running Windows Server where the certification authority (CA) you want to access is located.

• Click View the status of a pending certificate request.

• You will receive a message if there are no pending certificate requests. Otherwise, select the certificate request that you want to check, and then click Next.

• Check the pending certificate requests. If it is:

• Still pending, you must wait for the administrator of the CA to issue the certificate. To remove the certificate request, click Remove.

• Issued, you can install the certificate. Click Install this certificate.

• Denied, you need to investigate the reason and determine appropriate follow-up steps, if any.

• When you are finished, close Internet Explorer.

Additional

To confirm that certificate request processing is working properly:

• Click Start, type certmgr.msc, and then press ENTER.

• If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

• In the console tree, double-click Personal, and then click Certificates.

• On the Action menu, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard. 

• Use the wizard to create and submit a certificate request for any type of certificate that is available.

• Under Certificate Installation Results, confirm that the enrollment completes successfully and no errors are reported. You can also click Details to view additional information about the certificate.