Details of the event with ID 103 of the source Microsoft-Windows-CertificationAuthority

Author Uwe GradeneggerPosted on Categories Events, Certification AuthorityTags
Event Source:Microsoft-Windows-CertificationAuthority
Event ID:103 (0x67)
Event log:Application
Event type:Warning
Symbolic Name:MSG_E_MISSING_POLICY_ROOT
Event text (English):Active Directory Certificate Services added the root certificate of certificate chain %1 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "%2" (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish rtificatefilename% Root.
Event text (German):The root certificate of the certificate chain %1 has been downloaded to the company store of the trusted root certification authorities on the certification authority computer. This store will be updated by the CA container in Active Directory the next time the group policy is applied. Run the following command to ensure that the root CA certificate has been correctly published to Active Directory: certutil -viewstore "%2" (you must also enter the quotation marks when running the command). If the root CA certificate does not exist, use the certificate console on the certification root machine to export the certificate to a file. Then run the following command to publish the certificate in Active Directory: Certutil -dspublish rtificatefilename% Root.

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: CACertIdentifier (win:UnicodeString)
  • %2: LDAPPath (win:UnicodeString)

Example events

Active Directory Certificate Services added the root certificate of certificate chain 0 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "ldap:///CN=ADCS Labor Issuing CA 2,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=en?cACertificate?base?objectClass=certificationAuthority" (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish rtificatefilename% Root.

Description

This event occurs when the certification authority detects that the certification chain of one of its certification authority certificates no longer points to a trusted root certification authority - i.e., the associated root certification authority appears to have had its trust status revoked.

If the LDAP AIA paths are still reachable, the certification authority itself restores the trust status and logs this event in the process.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

Since the certification authority was able to restore the trust status for itself, the event usually has no impact on availability, as the certification authority service continues to operate as usual.

See also article "What impact does the revocation of the trust status of a root certification authority certificate have on the certification authority?„.

However, it should be investigated whether the withdrawal of the certification authority's trust status has an impact on the PKI's participants, as they will most likely no longer trust the certification authority certificate.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".

Related links:

External sources

One thought on “Details zum Ereignis mit ID 103 der Quelle Microsoft-Windows-CertificationAuthority”

  1. Pingback: What impact does the withdrawal of the trust status of a root certification authority certificate have on the certification authority? - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish