| Event Id | 100 |
| Source | Microsoft-Windows-CertificationAuthority |
| Description | Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. %1 %2. |
| Event Information | According to Microsoft : Cause This event is logged when Active Directory Certificate Services did not start and could not load or verify the current CA certificate. Resolution Load and confirm a valid CA certificate and chain You need to confirm that a valid certification authority (CA) certificate is accessible in order for certificate chain validation to take place. You can resolve problems associated with locating a valid CA certificate by confirming that: A valid CA certificate is available on the computer hosting the CA. A valid CA certificate exists in the AIA container. The CA certificate chain can be validated. If a certificate revocation list (CRL) for a CA in the chain has expired, a new CRL is generated. To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority. Confirm that a valid CA certificate exists on the computer hosting the CA To confirm that a valid CA certificate is available on the computer hosting the CA: 1.Click 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click 3.On the File menu, click Add/Remove Snap-in, click Certificates, and then click 4. Click Computer account, and click 5. Click Finish, and then click OK. 6.In the console tree, click Certificates (Local Computer), and then click Personal. 7 Confirm that a CA certificate that has not expired exists in this store. Confirm that a valid CA certificate exists in the AIA container To confirm that a valid CA certificate exists in the AIA container: 1.Click Start, point to Administrative Tools, and click Active Directory Sites and Services. 2.Click Active Directory Sites and Services [domainname]. 3.On the 4.Double-click Services, double-click 5.Confirm that a CA certificate that has not expired exists in the AIA container. Validate the CA certificate chain To validate a CA certificate chain: 1.Open a command prompt window. 2.Type certutil -urlfetch -verify on the CA certificate, and press ENTER. 3.Confirm that the AIA container and CRL distribution point network locations are available, that all certificates in the chain are valid and not revoked, and that valid CRLs are available 4.If the AIA or CRL distribution point locations are not available, identify and resolve the problem that is preventing them from being accessed. 5.If any certificates in the chain have expired or been revoked, renew these certificates. If a CA certificate needs to be reissued, all certificates under this certificate in the chain will need to be reissued. 6If a CRL for a CA in the chain has expired, generate new base and delta CRLs on this CA and copy them to the required locations. 7. If the CA is offline, you may need to restart it. Check and publish CRLs To check and, if necessary, publish new CRLs: 1.On the CA that is the source of the problem, check the current published CRL, which by default is created in the folder %windir%\System32\CertSrv\CertEnroll. 2. If the CRLs currently in this location have expired or are invalid, open a command prompt window, type certutil -CRL and press ENTER to publish a new CRL. To generate new base and delta CRLs: 1.On the computer hosting the CA, click Start, point to Administrative Tools, and select Certification Authority. 2.In the console tree, click Revoked Certificates. 3.On the Action menu, point to All Tasks, and click Publish. 4.Select New CRL to overwrite the previously published CRL, or select Delta CRL only to publish a current delta CRL. To create a CRL by using the Certutil command-line tool: 1.On the computer hosting the CA, click Start, type cmd and press ENTER. To publish CRLs to AD DS by using the Certutil command-line tool: 1.Open a command prompt window. 2.Type certutil -dspublish " Verify To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority. To confirm that the certification authority (CA) certificate and chain are valid: 1.On the computer hosting the CA, click Start, type mmc, and then press ENTER. 2.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 3.On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add. 4.Click Computer account, and click Next. 5.Click 6. In the console tree, click Certificates (Local Computer), and then click Personal. 7. Confirm that a CA certificate that has not expired exists in this store. 8.Right-click this certificate and select Export to launch the Certificate Export Wizard. 9.Export the certificate to a file named Cert.cer. 10.Type Start, 11.Type certutil -urlfetch -verify 12 If no validation, chain building, or revocation checking errors are reported, the chain is valid. |
| Reference Links | Event ID 100 from Source Microsoft-Windows-CertificationAuthority |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.