Collection Rule for event with source CertificationAuthority and ID 65

Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.65 (Rule)

Certificate Services could not publish a certificate revocation list (CRL).

Knowledge Base article:

Summary

Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.

Resolutions

Enable AD CS to publish a certificate revocation list

Possible resolutions to this event log message include:

If the event log message specifies an Active Directory location that has been formatted as a Lightweight Directory Access Protocol (LDAP) address, confirm that the certification authority (CA) has Write permissions to this location. To do this, follow the procedure in the "Confirm Active Directory CRL distribution point permissions" section.
Check the access control list on any file locations referenced in the event log message to confirm that the CA computer has Write permissions to those locations. To do this, follow the procedure in the "Confirm CRL distribution point permissions" section.
Follow the procedure in the "Check network connectivity" section to check network connectivity between the CA and domain controller.
After any network or permissions problems have been resolved, use the procedure in the "Publish a new CRL" section to publish a new CRL.
If you still cannot publish a new CRL, confirm that the CRL distribution point is valid by following the procedure in the "Confirm the validity of configured CRL distribution points" section.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm Active Directory CRL distribution point permissions

To confirm Active Directory CRL distribution point permissions:

On a computer that has Active Directory management tools installed, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
On the View menu, click Show Services Node.
Double-click Services, and double-click Public Key Services.
Right-click AIA, and click Properties.
Click the Security tab, and confirm that the CA has Write permission to this location.

Confirm file location CRL distribution point permissions

To confirm file location CRL distribution point permissions:

Click Start, type the file share address that you are using to publish CRLs and press ENTER.
Right-click the file share, and click Properties.
Click the Security tab, and confirm that the CA has Write permission to this location.

Check network connectivity

To determine if there is a network connectivity problem between the CA and the domain controller:

Open a command prompt window on the computer hosting the CA.
Type ping <server_FQDN> and press ENTER, where server_FQDN is the fully qualified domain name (FQDN) of the domain controller. If you can connect to the domain controller, you will receive a reply similar to the following:

Reply from IP_address: bytes=32 time=3ms TTL=59

Reply from IP_address: bytes=32 time=20ms TTL=59

Reply from IP_address: bytes=32 time=3ms TTL=59

Reply from IP_address: bytes=32 time=6ms TTL=59 3.

At the command prompt, type ping <IP_address>, where <IP_address> is the IP address of the domain controller, and then press ENTER.
If you can successfully connect to the domain controller by IP address but not by FQDN, this indicates a possible issue with Domain Name System (DNS) host name resolution.
If you cannot successfully connect to the domain controller by IP address, this indicates a possible issue with network connectivity. Check for and resolve any hardware problems, such as a malfunctioning network card or disconnected network cable, as well as any event log errors relating to firewall configuration Internet Protocol security (IPsec) configuration.

Publish a new CRL

To publish a new CRL by using the Certification Authority snap-in:

Click Start, point to Administrative Tools, and click Certification Authority.
Right-click Revoked Certificates, point to All Tasks, and then click Publish to publish the new CRL.

To publish a new CRL by using the Certutil command-line tool:

Open a command prompt window.
To publish CRLs to all configured CRL publishing locations, type certutil -CRL and press ENTER.
To publish a CRL directly to an Active Directory location, type certutil -dspublish "<crlname.crl>" ldap:///CN=<CA name>,CN=<CA hostname>,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=<contoso>,DC=<com>?certificateRevocationList?base?objectClass=cRLDistributionPoint and press ENTER.

Replace crlname.crl with the name of your CRL file, CA name and CA hostname with your CA name and the name of the host on which that CA runs, and contoso and com with the namespace of your Active Directory domain.

Confirm the validity of configured CRL distribution points

To confirm the validity of configured CRL distribution points:

Click Start, point to Administrative Tools, and click Certification Authority.
Right-click the name of the CA, and click Properties.
Click the Extensions tab. Note the CRL distribution point locations for which the Publish CRLs to this location check box is selected.

You can also determine the configured CRL distribution point URLs by opening a command prompt window on the CA and running the following command: certutil -getreg ca\crlpublicationurls.

Additional

To confirm that certificate revocation list (CRL) publishing is working properly, perform the following procedure on a recently issued end-entity (user or computer) certificate:

Open a command prompt window on a computer that is connected to the network.
Type certutil -url <cert.cer> and press ENTER.

Replace <cert.cer> with the name of a certificate file that you created by exporting a certificate using the Certificate Export Wizard.

In the dialog box that appears, under Retrieve, click CRLs (from CDP), and click Retrieve.
Confirm that the status of all retrieved CRL distribution points is listed as Verified.

Element properties:

Target

Microsoft.Windows.CertificateServices.CARole.2016

Category

EventCollection

Enabled

True

Event_ID

Event Source

Microsoft-Windows-CertificationAuthority

Alert Generate

True

Alert Severity

Error

Alert Priority

High

Remotable

True

Alert Message

AD CS Certificate Revocation List (CRL) Publishing - Failed to publish base CRL

Event Description: {0}

Event Log

Application

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
Alert	WriteAction	System.Health.GenerateAlert	Default
WriteToCertSvcEvents	WriteAction	Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher	Default
WriteToDB	WriteAction	Microsoft.SystemCenter.CollectEvent	Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.65" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">65</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-CertificationAuthority</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageIDd664f0fa5e3944d587fc8230b91b51bb"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>