| Event Source: | Microsoft-Windows-CertificationAuthority |
| Event ID: | 96 (0x60) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | MSG_E_CANNOT_CREATE_XCHG_CERT |
| Event text (English): | Active Directory Certificate Services could not create an encryption certificate. %1. %2. |
| Event text (German): | No encryption certificate could be created by Active Directory Certificate Services. %1. %2. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: Disposition (win:UnicodeString)
- %2: ErrorCode (win:UnicodeString)
Example events
Active Directory Certificate Services could not create an encryption certificate. Requested by INTRA\Administrator. The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE).
Active Directory Certificate Services could not create an encryption certificate. Requested by INTRA\Administrator. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495 CERT_E_EXPIRED).
Active Directory Certificate Services could not create an encryption certificate. Requested by INTRA\Administrator. The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).
Active Directory Certificate Services could not create an encryption certificate. Requested by INTRA\rudi Invalid Application Policies: 1.3.6.1.4.1.311.21.5. The certificate has invalid policy. 0x800b0113 (-2146762477 CERT_E_INVALID_POLICY).
Description
Occurs when the certificate authority cannot issue a Certificate Authority Exchange (CA Exchange) certificate. In most cases, this indicates a problem with the certification authority.
Error code CERT_E_INVALID_POLICY
Please note that the creation of a certificate authority exchange certificate can be requested by any authenticated user on the network. For example, the Enterprise PKI (pkiview.msc) management console requests such a certificate to map the certificate authority hierarchy.
Therefore, the Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates always include the "Private Key Archival" Enhanced Key Usage in the list of allowed EKUs for the certification authority certificate so that the certificates for the certification authority exchange can be issued correctly.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
The event may be an indication that the availability of the certification authority service is or will soon be impaired. Therefore, an alert should be triggered.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of Windows events generated by the certification authority
- Overview of audit events generated by the Certification Authority
- Basics: Restricting Extended Key Usage (EKU) in Certification Authority Certificates
External sources
- Event ID 96 - AD CS Key Archival and Recovery (Microsoft)
- Securing Public Key Infrastructure (PKI) (Microsoft)
English 
Deutsch
2 thoughts on “Details zum Ereignis mit ID 96 der Quelle Microsoft-Windows-CertificationAuthority”
Comments are closed.