Übersicht über die von der Zertifizierungsstelle generierten Windows-Ereignisse

Nachfolgend eine Übersicht über die von der Zertifizierungsstelle erzeugten Ereignisse in der Windows-Ereignisanzeige.


Die Ereignisse der Zertifizierungsstelle werden in das Anwendungs-Protokoll geschrieben. Folgende Quellen enthalten CA-Ereignisse:

  • Microsoft-Windows-CertificationAuthority

Vordefinierte Ansicht in der Windows-Ereignisanzeige

Eine entsprechend gefilterte Ansicht ist in der Kategorie "Active Directory Certificate Services" auf jedem System, auf dem die Zertifizierungsstelle installiert ist, bereits vorkonfiguriert.

Ereignisquelle Microsoft-Windows-CertificationAuthority

Einige dieser Ereignisse werden nur protokolliert, wenn die Protokollierungsebene für das Ereignisprotokoll der betreffenden Zertifizierungsstelle auf 4 (CERTLOG_VERBOSE) oder höher eingestellt wurde.

Kennen Sie TameMyCerts? TameMyCerts ist ein Add-On für die Microsoft Zertifizierungsstelle (Active Directory Certificate Services). Es erweitert die Funktion der Zertifizierungsstelle und ermöglicht die Anwendung von Regelwerken, um die sichere Automatisierung von Zertifikat-Ausstellungen zu realisieren. TameMyCerts ist einzigartig im Microsoft-Ökosystem und steht unter einer freien Lizenz. Es kann über GitHub heruntergeladen und kostenlos verwendet werden.

5FehlerActive Directory Certificate Services could not find required registry information. The Active Directory Certificate Services may need to be reinstalled.
6InformationActive Directory Certificate Services issued a certificate for request %1 for %2.
7WarnungActive Directory Certificate Services denied request %1 because %2. The request was for %3.
8InformationActive Directory Certificate Services left request %1 pending in the queue for %2.
9FehlerThe Active Directory Certificate Services did not start: Unable to load an external policy module.
10WarnungActive Directory Certificate Services were unable to build a new certificate or certificate chain: %1.
15FehlerActive Directory Certificate Services did not start: Version does not match certif.dll.
16FehlerActive Directory Certificate Services did not start: Unable to initialize OLE: %1.
17FehlerActive Directory Certificate Services did not start: Unable to initialize the database connection for %1. %2.
19FehlerActive Directory Certificate Services did not start: The Subject Name Template string in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\SubjectTemplate is invalid. An example of a valid string is: CommonName OrganizationalUnit Organization Locality State Country
20FehlerActive Directory Certificate Services did not start: The Certificate Date Validity Period string in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\ValidityPeriod is invalid. Valid strings are "Seconds", "Minutes", "Hours", "Days", "Weeks", "Months" and "Years".
21FehlerActive Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3.
22FehlerActive Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. Additional information: %4
23FehlerActive Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. The certificate would contain an encoded length that is potentially incompatible with older enrollment software. Submit a new request using different length input data for the following field: %4
25InformationActive Directory Certificate Services revoked the certificate for request %1 for %2.
26InformationActive Directory Certificate Services for %1 was started.%2%3
27FehlerActive Directory Certificate Services did not start: Hierarchical setup is incomplete. Use the request file in %1.req to obtain a certificate for this Certificate Server, and use the Certification Authority administration tool to install the new certificate and complete the installation.
33FehlerActive Directory Certificate Services did not start: Could not create the Certificate Server service thread for %1. %2.
34 FehlerActive Directory Certificate Services did not start: Could not initialize RPC for %1. %2.
35FehlerActive Directory Certificate Services did not start: Could not initialize OLE for %1. %2.
38InformationActive Directory Certificate Services for %1 was stopped.
39FehlerActive Directory Certificate Services did not start: The Certification Authority DCOM class for %1 could not be registered. %2. Use the services administration tool to change the Certification Authority logon context.
40 FehlerActive Directory Certificate Services did not start: Could not initialize DCOM class factories for %1. %2.
42FehlerCould not build a certificate chain for CA certificate %3 for %1. %2.
43FehlerThe "%1" Policy Module "%2" method caused an exception at address %4. The exception code is %3.
44FehlerThe "%1" Policy Module "%2" method returned an error. %5 The returned status code is %3. %4
45FehlerThe "%1" Exit Module "%2" method caused an exception at address %4. The exception code is %3.
46FehlerThe "%1" Exit Module "%2" method returned an error. %5 The returned status code is %3. %4
48 WarnungRevocation status for a certificate in the chain for CA certificate %3 for %1 could not be verified because a server is currently unavailable. %2.
49WarnungA certificate in the chain for CA certificate %3 for %1 could not be verified because no information is available describing how to check the revocation status. %2.
51FehlerA certificate in the chain for CA certificate %3 for %1 has been revoked. %2.
52InformationActive Directory Certificate Services issued a certificate for request %1 for %2. Additional information: %3
53WarnungActive Directory Certificate Services denied request %1 because %2. The request was for %3. Additional information: %4
54InformationActive Directory Certificate Services left request %1 pending in the queue for %2. Additional information: %3
56 InformationActive Directory Certificate Services denied request %1. The request was for %2.
57 InformationActive Directory Certificate Services denied request %1. The request was for %2. Additional information: %3
58FehlerA certificate in the chain for CA certificate %3 for %1 has expired. %2.
59FehlerActive Directory Certificate Services did not start: Could not connect to the Active Directory for %1. %2.
60FehlerActive Directory Certificate Services refused to process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize registry parameter via certutil -setreg CA\MaxIncomingMessageSize . Unless verbose logging is enabled, this error will not be logged again for 20 minutes.
62WarnungActive Directory Certificate Services had problems loading valid CRL publication values and has reset the CRL publication to its default settings.
63 FehlerActive Directory Certificate Services did not start: %1 %2.
64FehlerActive Directory Certificate Services cannot publish enrollment access changes to Active Directory.
65 FehlerActive Directory Certificate Services could not publish a Base CRL for key %1 to the following location: %2. %3.%5%6
66 FehlerActive Directory Certificate Services could not publish a Delta CRL for key %1 to the following location: %2. %3.%5%6
67FehlerActive Directory Certificate Services made %1 attempts to publish a CRL and will stop publishing attempts until the next CRL is generated.
68 InformationActive Directory Certificate Services successfully published Base CRL(s).
69InformationActive Directory Certificate Services successfully published Delta CRL(s).
70 InformationActive Directory Certificate Services successfully published Base and Delta CRL(s).
71InformationActive Directory Certificate Services successfully published Base CRL(s) to server %1.
72InformationActive Directory Certificate Services successfully published Delta CRL(s) to server %1.
73 InformationActive Directory Certificate Services successfully published Base and Delta CRL(s) to server %1.
74FehlerActive Directory Certificate Services could not publish a Base CRL for key %1 to the following location on server %4: %2. %3.%5%6
75FehlerActive Directory Certificate Services could not publish a Delta CRL for key %1 to the following location on server %4: %2. %3.%5%6
76 InformationThe "%1" Policy Module logged the following information: %2
77WarnungThe "%1" Policy Module logged the following warning: %2
78FehlerThe "%1" Policy Module logged the following error: %2
79WarnungActive Directory Certificate Services could not publish a Certificate for request %1 to the following location: %2. %3.%5%6
80WarnungActive Directory Certificate Services could not publish a Certificate for request %1 to the following location on server %4: %2. %3.%5%6
81FehlerActive Directory Certificate Services key archival is only supported on Advanced Server. %1
82FehlerActive Directory Certificate Services could only verify %1 of %2 key recovery certificates required to enable private key archival. Requests to archive private keys will not be accepted.
83FehlerActive Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. %1
84FehlerActive Directory Certificate Services will not use key recovery certificate %1 because it could not be verified for use as a Key Recovery Agent. %2 %3
85WarnungActive Directory Certificate Services ignored key recovery certificate %1 because it could not be loaded. %2 %3
86WarnungActive Directory Certificate Services could not use the provider specified in the registry for encryption keys. %1
87FehlerActive Directory Certificate Services could not use the default provider for encryption keys. %1
88WarnungActive Directory Certificate Services switched to the default provider for encryption keys. %1
90Fehler%1: Active Directory Certificate Services detected an exception at address %2. Flags = %3. The exception is %4.
91 FehlerCould not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access.
92FehlerActive Directory Certificate Services could not update security permissions. %1
93WarnungThe certificate (#%1) of Active Directory Certificate Services %2 does not exist in the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory’s configuration container. The directory replication may not be completed.
94WarnungActive Directory Certificate Services %1 can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory’s configuration container.
95 FehlerSecurity permissions are corrupted or missing. The Active Directory Certificate Services may need to be reinstalled.
96 FehlerActive Directory Certificate Services could not create an encryption certificate. %1. %2.
97WarnungActive Directory Certificate Services %1 will reduce the maximum lifetime of the issued certificate for request %2 because the CA certificate lifetime is shorter than the registry validity period. Consider renewing the CA certificate or reducing the registry validity period.
98FehlerActive Directory Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted.
99FehlerActive Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. %2. %3.
100FehlerActive Directory Certificate Services did not start: Could not load or verify the current CA certificate. %1 %2.
101 InformationActive Directory Certificate Services created CA cross certificate %2 for %1.
102FehlerActive Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. The %2 extension is inconsistent. %3. %4.
103WarnungActive Directory Certificate Services added the root certificate of certificate chain %1 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "%2" (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root.
104 InformationActive Directory Certificate Services published certificate %1 to %2.
105 InformationActive Directory Certificate Services deleted invalid certificate %1 from %2.
106 WarnungActive Directory Certificate Services cannot add certificate %1 to %2. %3. %4.
107WarnungActive Directory Certificate Services cannot delete invalid certificate %1 from %2. %3. %4.
108 WarnungActive Directory Certificate Services could not delete a Certificate for request %1 from the following location: %2. %3.%5%6
109 WarnungActive Directory Certificate Services could not delete a Certificate for request %1 from the following location on server %4: %2. %3.%5%6
110WarnungActive Directory Certificate Services could not initialize the performance counters.
111 FehlerActive Directory Certificate Services upgrade failed because the upgrade path could not be determined. %1
112 FehlerActive Directory Certificate Services upgrade failed because information required for the upgrade was unavailable. %1
113 WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not create CertEnroll folder and/or shared folder with proper permissions. %1
114WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not create virtual roots. %1
115 WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not update server registry entries. %1
116WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not create web configuration file. %1
117WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not create revocation page. %1
118 WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not upgrade key containers. %1
121WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not install new templates. %1
122WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not update service description. %1
123WarnungA portion of the Active Directory Certificate Services upgrade failed: Could not update security settings. %1
124 InformationActive Directory Certificate Services upgrade succeeded. Active Directory Certificate Services settings have been upgraded successfully.
125 FehlerActive Directory Certificate Services upgrade failed. Active Directory Certificate Services settings have not been upgraded. %1
126 FehlerCurrent information about advanced features supported by this Certification Authority is not available from the domain controller. Stop and restart Certificate Services in order to update this information. %1
127FehlerKey recovery certificate %1 is about to expire soon and will not be used upon expiration. Contact your adminstrator to renew this certificate. %2 %3
128WarnungAn Authority Key Identifier was passed as part of the certificate request %1. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1" and then restart the service.
129WarnungAn invalid OID has been detected in the EnabledEKUForDefinedCACert configuration setting. To resolve, run: "certutil -getreg ca\EnabledEKUForDefinedCACert" to identify the invalid OID and correct it. The default OID ("") will be used.
130FehlerActive Directory Certificate Services could not create a certificate revocation list. %1. This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.
131WarnungAn invalid OID has been detected in the EKUOIDsForPublishExpiredCertInCRL configuration setting. To resolve, run: "certutil -getreg ca\EKUOIDsForPublishExpiredCertInCRL" to identify the invalid OID and correct it. The default OIDs ("" and "") will be used.
132 FehlerThe certification authority (CA) was unable to perform a decryption operation. This error can occur when an advanced encryption algorithm such as Advanced Encryption Standard (AES) is used and the CA has not been configured to use a CryptoAPI Next Generation (CNG) key storage provider. If this error occurred during certificate enrollment, check the certificate template to ensure that advanced encryption for key archival is not enabled.
133 FehlerThe certification authority (CA) failed to encode a server extension required to validate a certificate or certification revocation list (CRL). The CA will not issue any certificates or CRLs that do not contain this extension. To correct this problem, use the Certification Authority snap-in to remove any Unicode characters in the URLs for the AIA, CDP, and IDP extensions, then restart the CA.
134InformationA certificate in the chain for CA certificate %3 for %1 has expired. %2.

Weiterführende Links:

Externe Quellen
