Collection Rule for event with source CertificationAuthority and ID 87

Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.87 (Rule)

Certificate Services could not use the specified provider for encryption keys.

Knowledge Base article:

Summary

Active Directory Certificate Services (AD CS) requires key recovery agent certificates, exchange (XCHG) certificates, and keys in order to support key archival. The functioning of key recovery agent certificates, XCHG certificates, and the cryptographic service providers (CSPs) needed to create them is critical to a public key infrastructure.

Resolutions

Use a cryptographic service provider that supports key archival and recovery

It may not be possible to use administrative tools to resolve problems that are caused by cryptographic providers, the software component that performs encryption and related tasks for encryption certificate generation. However, the following tasks can reveal diagnostic information to assist in the resolution process:

Identify and test your cryptographic provider.
If you continue to have problems and are using a non-Microsoft provider, contact the vendor for troubleshooting information.
You can also reset to the default encryption key provider, but you will also have to revoke the current CA Exchange certificate so that a new one based on the new provider is issued.
If you continue to have problems and are using a Microsoft provider, then contact Microsoft Customer Service and Support.

Identify and test a cryptographic provider

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To identify and test the cryptographic provider you are using:

Open a command prompt window.
Type certutil -getreg ca\EncryptionCSP and press ENTER.
Type certutil -csp <providername> -csptest and press ENTER. Replace providername with the provider identified in the output of step 2.
If you are using a non-Microsoft cryptographic provider, contact the vendor for help. Otherwise, contact Microsoft Customer Service and Support.

Reset the default encryption key provider

To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

You can configure the certification authority (CA) to use the default Microsoft provider for encryption certificates by setting the following registry key to Microsoft Software Key Storage Provider.

Note: You may have to revoke the current CA Exchange certificate, if there is one, so that a new one based on the new provider is issued. Then, restart the CA.

To modify a configured encryption key provider:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

On the computer hosting the CA, click Start, type regedit, and then press ENTER.
Go to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA Name\EncryptionCSP\Provider.
Change the listed value to Microsoft Software Key Storage Provider.
Open the Certification Authority snap-in.
In the console tree, click Issued Certificates.
In the details pane, select the CA Exchange certificate.
On the Action menu, point to All Tasks, and click Revoke Certificate.
Select the reason for revoking the certificate, adjust the time of the revocation, if necessary, and then click Yes.
Restart the CA.

Additional

To confirm that key archival and recovery is working properly:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
In the console tree, right-click the name of the certification authority (CA), and then click Properties.
Click the Recovery Agents tab.
Confirm that all key recovery agent certificates are listed as Valid.
In the Certificate Templates container, confirm that an encryption certificate has the option Archive subject's encryption private key configured on the Request Handling tab.
Open the Certificates snap-in for a user account that has permissions to enroll for a certificate based on this certificate template.
In the console tree, right-click Personal, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard.
Enroll for a certificate based on the encryption template, and confirm that the enrollment completes successfully and no errors are reported.
When the enrollment is complete, open the Certification Authority snap-in.
In the console tree, click Issued Certificates.
Locate the entry for the certificate that was just issued, and add the Archived Key column to the snap-in display list.
Confirm that the word Yes appears in the Archived Key column for the certificate that was just issued.

Element properties:

Target

Microsoft.Windows.CertificateServices.CARole.2016

Category

EventCollection

Enabled

True

Event_ID

Event Source

Microsoft-Windows-CertificationAuthority

Alert Generate

True

Alert Severity

Error

Alert Priority

High

Remotable

True

Alert Message

AD CS Key Archival and Recovery - Could not use default provider

Event Description: {0}

Event Log

Application

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
Alert	WriteAction	System.Health.GenerateAlert	Default
WriteToCertSvcEvents	WriteAction	Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher	Default
WriteToDB	WriteAction	Microsoft.SystemCenter.CollectEvent	Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.87" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">87</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-CertificationAuthority</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageID139bfe1417204092b353d5efab951f6f"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>