Collection Rule for event with source CertificationAuthority and ID 42

Summary

Chain or path validation is the process by which end-entity (user or computer) certificates and all certification authority (CA) certificates are processed hierarchically until the certificate chain terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. Active Directory Certificate Services (AD CS) startup can fail if there are problems with availability, validity, and chain validation for the CA certificate.

Resolutions

Load and confirm a valid CA certificate and chain

You need to confirm that a valid certification authority (CA) certificate is accessible in order for certificate chain validation to take place. You can resolve problems associated with locating a valid CA certificate by confirming that:

• A valid CA certificate is available on the computer hosting the CA.

• A valid CA certificate exists in the AIA container.

• The CA certificate chain can be validated.

• If a certificate revocation list (CRL) for a CA in the chain has expired, a new CRL is generated.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm that a valid CA certificate exists on the computer hosting the CA

To confirm that a valid CA certificate is available on the computer hosting the CA:

• Click Start, type mmc, and then press ENTER.

• If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

• On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

• Click Computer account, and click Next.

• Click Finish, and then click OK.

• In the console tree, click Certificates (Local Computer), and then click Personal.

• Confirm that a CA certificate that has not expired exists in this store. 

Confirm that a valid CA certificate exists in the AIA container

To confirm that a valid CA certificate exists in the AIA container:

• Click Start, point to Administrative Tools, and click Active Directory Sites and Services.

• Click Active Directory Sites and Services [domainname].

• On the View menu, click Show Services Node.

• Double-click Services, double-click Public Key Services, and click AIA.

• Confirm that a CA certificate that has not expired exists in the AIA container.

Validate the CA certificate chain

To validate a CA certificate chain:

• Open a command prompt window.

• Type certutil -urlfetch -verify on the CA certificate, and press ENTER.

• Confirm that the AIA container and CRL distribution point network locations are available, that all certificates in the chain are valid and not revoked, and that valid CRLs are available.

• If the AIA or CRL distribution point locations are not available, identify and resolve the problem that is preventing them from being accessed.

• If any certificates in the chain have expired or been revoked, renew these certificates. If a CA certificate needs to be reissued, all certificates under this certificate in the chain will need to be reissued.

• If a CRL for a CA in the chain has expired, generate new base and delta CRLs on this CA and copy them to the required locations.

• If the CA is offline, you may need to restart it.

Check and publish CRLs

To check and, if necessary, publish new CRLs:

• On the CA that is the source of the problem, check the current published CRL, which by default is created in the folder %windir%\System32\CertSrv\CertEnroll.

• If the CRLs currently in this location have expired or are invalid, open a command prompt window, type certutil -CRL and press ENTER to publish a new CRL.

To generate new base and delta CRLs:

• On the computer hosting the CA, click Start, point to Administrative Tools, and select Certification Authority.

• In the console tree, click Revoked Certificates.

• On the Action menu, point to All Tasks, and click Publish. 

• Select New CRL to overwrite the previously published CRL, or select Delta CRL only to publish a current delta CRL.

To create a CRL by using the Certutil command-line tool:

• On the computer hosting the CA, click Start, type cmd and press ENTER.

• Type certutil -CRL and press ENTER.

To publish CRLs to AD DS by using the Certutil command-line tool:

• Open a command prompt window.

• Type certutil -dspublish "<crlname.crl>" ldap:///CN=<CA name>,CN=<CA hostname>,CN=CDP,CN=Public Key Services,CN=Ser vices,CN=Configuration,DC=<contoso>,DC=<com>?certificateRevocationList?base?objectClass=cRLDistributionPoint and press ENTER.

Replace crlname.crl with the name of your CRL file, CA name and CA hostname with your CA name and the name of the host on which that CA runs, and contoso and com with the namespace of your Active Directory domain.

Additional

To confirm that the certification authority (CA) certificate and chain are valid:

• On the computer hosting the CA, click Start, type mmc, and then press ENTER.

• If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

• On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

• Click Computer account, and click Next.

• Click Finish, and then click OK.

• In the console tree, click Certificates (Local Computer), and then click Personal.

• Confirm that a CA certificate that has not expired exists in this store.

• Right-click this certificate and select Export to launch the Certificate Export Wizard.

• Export the certificate to a file named Cert.cer.

• Type Start, cmd and press ENTER.

• Type certutil -urlfetch -verify <cert.cer> and press ENTER.

• If no validation, chain building, or revocation checking errors are reported, the chain is valid.