Details of the event with ID 86 of the source Microsoft-Windows-CertificationAuthority

Event Source:Microsoft-Windows-CertificationAuthority
Event ID:86 (0x56)
Event log:Application
Event type:Warning
Symbolic Name:MSG_E_BAD_REGISTRY_CA_XCHG_CSP
Event text (English):Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. %1
Event text (German):Active Directory certificate services could not use the encryption key provider specified in the registry. %1

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: ErrorCode (win:UnicodeString)

Example events

Active Directory Certificate Services could not use the provider specified in the registry for encryption keys.  The keyset is not defined. 0x80090019 (-2146893799 NTE_KEYSET_NOT_DEF)
Active Directory Certificate Services could not use the provider specified in the registry for encryption keys.  Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)

Description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

This event can occur if the certificate authority cannot process the value configured under the EncryptionCsp registry value, for example, if a hardware security module (HSM) is used and no keys can be generated.

The error code NTE_BAD_KEYSET is an indication of a SafeNet Luna Hardware Security Module (HSM).

The value is located under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-CA}\EncryptionCSP

It is set to the same value as for the certification authority certificate during the installation of the certification authority.

It is used to generate the key pairs for the Certificate Authority Exchange (CA Exchange) certificates. The CA Exchange certificates are used for archiving private keys, but also for the Enterprise PKI (pkiview.msc) management console.

In general, a software key storage provider can be safely used for the certification authority exchange certificates. This can be configured with the following command line command:

certutil -setreg CA\EncryptionCSP\Provider "Microsoft Software Key Storage Provider".

Afterwards, the certification authority service must be restarted for the changes to be accepted.

See also Event 87 and 88 and articles "The partition of the Hardware Security Module (HSM) runs full„.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

No description has been written for this yet.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".

Related links:

External sources

en_USEnglish