Details of the event with ID 128 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	128 (0x80)
Event log:	Application
Event type:	Warning
Symbolic Name:	MSG_W_REQUEST_CONTAINS_AKI
Event text (English):	An Authority Key Identifier was passed as part of the certificate request %1. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1" and then restart the service.
Event text (German):	A job key identifier was passed as part of the %1 certificate request. This feature is not enabled. To specify a certificate authority key for certificate signing, run the certutil -setreg ca\UseDefinedCACertInRequest 1 command and restart the service.

Parameter

The parameters contained in the event text are filled with the following fields:

• %1: RequestId (win:UnicodeString)

Example events

An Authority Key Identifier was passed as part of the certificate request 166131. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1" and then restart the service.

Description

This event occurs when a certificate request includes an Authority Key Identifier (AKI) extension, but the certificate authority does not allow it.

The AKI extension is used for example by Online responder (OCSP) is used to sign the OCSP response signing certificate with a specific certificate authority key (if the certificate authority has multiple certificate authority certificates - the OCSP response signature must always be signed by the same key as the certificate to be checked for revocation status by Onlineresponder.

See also article "Allow requesting a specific signature key on a certification authority„.

See also Event no. 35 of the online responder.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

If the lifecycle process for certification authorities provides for renewal with a new key pair, an alert should be issued because the availability of the online responder's revocation configuration is affected and errors or undesirable behavior may occur during certificate revocation checks.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".

Related links:

• Overview of Windows events generated by the certification authority
• Overview of audit events generated by the Certification Authority

External sources

• Event ID 128 - AD CS Certificate Request (Enrollment) Processing (Microsoft)
• Securing Public Key Infrastructure (PKI) (Microsoft)