Home
  •  

Collection Rule for event with source CertificationAuthority and ID 5

Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.5 (Rule)

Certificate Services could not find essential registry information.

Knowledge Base article:

Summary

Active Directory Certificate Services could not find required registry information. The certification authority may need to be reinstalled.

Resolutions

To perform this procedure, you must have local Admin permission, or you must have been delegated the appropriate authority.

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To resolve registry-related problems:

On the computer hosting the CA, click Start, type regedit, and press ENTER.

Look for the registry configuration settings listed above and correct any incorrect values.

Click Start, point to Administrative Tools, and click Certification Authority.

Right-click the CA name, and click Restart.

Configuration

Correct CA-related registry values:

By default, certification authority (CA) registry configuration information is located under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name.

The event log message may contain more specific information that can help you locate the exact location in this hive where the problem exists, such as the following: 

The signature algorithm in this registry value is unrecognized:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SignatureAlgorithm.

The Certificate Date Validity Period string in this registry value is invalid:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\ValidityPeriod.

Valid strings for this value are "Seconds," "Minutes," "Hours," "Days," "Weeks," "Months," and "Years."

The Certificate Revocation List Period stringin this registry value is invalid:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\CRLPeriod.

Valid strings for this value are "Seconds," "Minutes," "Hours," "Days," "Weeks," "Months," and "Years."

The Subject Name Template string in this registry value is invalid:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\SubjectTemplate.

Unable to get information about the cryptographic service provider (CSP): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA name\CSP\Provider.

Additional

To confirm the certification authority (CA) registry settings:

After you have finished making any changes to registry settings for the CA, click Start, point to Administrative Tools, and click Certification Authority.

Select the CA name, and click Restart

Click Start, type cmd and press ENTER.

Type certutil -getreg ca\security and press ENTER.

If there are no more corrupt settings, the text -getreg command completed successfully will appear. 

Element properties:

TargetMicrosoft.Windows.CertificateServices.CARole.6.3
CategoryEventCollection
EnabledTrue
Event_ID5
Event SourceMicrosoft-Windows-CertificationAuthority
Alert GenerateTrue
Alert SeverityError
Alert PriorityHigh
RemotableTrue
Alert Message
AD CS Registry Settings
Event Description: {0}
Event LogApplication

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default
WriteToCertSvcEvents WriteAction Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher Default
WriteToDB WriteAction Microsoft.SystemCenter.CollectEvent Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.5" Enabled="onEssentialMonitoring" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.6.3" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">5</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-CertificationAuthority</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageIDa6eb33f7d82e48b5a7aa82f239e48eba"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>