| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 65 (0x41) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_BASE_CRL_PUBLICATION |
| Event text (English): | Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location: %2. %3.%5%6 |
| Event text (German): | No base certificate revocation list could be published for the key %1 at the following location: %2. %3.%5%6 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: CAKeyIdentifier (win:UnicodeString)
- %2: URL (win:UnicodeString)
- %3: ErrorMessageText (win:UnicodeString)
- %4: param4 (win:UnicodeString)
- %5: param5 (win:UnicodeString)
- %6: AdditionalErrorMessage (win:UnicodeString)
Example events
Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: file://\WEB01.intra.adcslabor.de\pki$\crl\ADCS Labor Enterprise Root CA.crl. Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED).
Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: \WEB01.intra.adcslabor.de\pki$\crl\ADCS Labor Issuing CA 1.crl. The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: c:\windows\system32\CertSrv\CertEnroll\DB-Issuing-CA1-1-11.crl. Cannot create a file when that file already exists. 0x800700b7 (WIN32/HTTP: 183 ERROR_ALREADY_EXISTS).
Description
This problem occurs when the certificate revocation list could be successfully generated, but subsequently could not be copied to one of the configured revocation list distribution points. Causes for this can be:
- The server on which the revocation list distribution point is set up is unreachable.
- The certification authority does not have permissions to the share or LDAP path that has been set up. By default, the server on which the certification authority is installed is a member of the "Cert Publishers" group. Since the group membership is only applied when the account (in the case of the certification authority: SYSTEM) is logged in again, the server on which the certification authority is installed must be restarted once after installation.
The certification authority process will retry publishing after 10 minutes.
Error code ERROR_Directory
Error code ERROR_ALREADY_EXISTS
Occurs when the file to be written already exists and the certification authority does not have write permissions on the file. For example, this may occur after the Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to another server occur if the old computer object is the owner of the file.
Probably also occurs if the blacklist file (this must be created in the course of the Publication overwritten) is currently locked by another process (for example, uploading the blacklist to another system).
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
If the certification authority is not able to generate or publish a revocation list, it is highly likely that it will expire on the distribution points in a short time. In this case, there is a threat of failure of the IT services that depend on the PKI. Therefore, this event must be rated as "critical" in terms of availability.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
English 
Deutsch
2 thoughts on “Details zum Ereignis mit ID 65 der Quelle Microsoft-Windows-CertificationAuthority”
Comments are closed.