Home
  •  

具有來源 CertificationAuthority 和 ID 51 的事件收集規則

Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.51 (Rule)

已為 CA 憑證撤銷鏈結中的憑證。

Knowledge Base article:

摘要

鏈結或路徑驗證是一種處理序,在憑證鏈結於受信任的自我簽署憑證上終止之前,終端實體 (使用者或電腦) 憑證和所有憑證授權單位 (CA) 憑證都會藉由該處理序以階層方式處理。通常,這是根 CA 憑證。如果 CA 憑證的可用性、有效性和鏈結驗證有問題,Active Directory 憑證服務 (AD CS) 啟動會失敗。

解決方式

在鏈結中為遭到撤銷的 CA 憑證重新發行憑證

雖然憑證授權單位 (CA) 憑證遭到撤銷並不常見。若要解決此情況:

若要執行這些程序,您必須擁有管理 CA 權限,或者必須已被委派適當的權限。

確認 CA 憑證已遭到撤銷

若要確認 CA 憑證已遭到撤銷:

使用 CA 憑證檔案的名稱取代 CAcert.cer。

註冊 CA 憑證

若要註冊 CA 憑證:

啟用 CryptoAPI 2.0 診斷

若要啟用 CryptoAPI 2.0 診斷:

其他

若要確認憑證授權單位 (CA) 憑證和鏈結有效:

Element properties:

TargetMicrosoft.Windows.CertificateServices.CARole.2016
CategoryEventCollection
EnabledTrue
Event_ID51
Event SourceMicrosoft-Windows-CertificationAuthority
Alert GenerateTrue
Alert SeverityError
Alert PriorityHigh
RemotableTrue
Alert Message
AD CS 憑證授權單位憑證與鏈結驗證 - CA 鏈結中的憑證已撤銷
事件描述:{0}
Event LogApplication

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default
WriteToCertSvcEvents WriteAction Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.51" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">51</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-CertificationAuthority</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageIDec09b85c4b5c4b5c9753da70c2ab3dc7"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>