| Event Id | 3 |
| Source | Microsoft-Windows-CertificationAuthority |
| Description | The certificate request failed. |
| Event Information | According to Microsoft : Cause : This event is logged when the certificate request failed. Resolution : Correct problems that prevent certificate requests from being processed To identify and resolve problems that can block certificate request processing, you should: 1.Confirm the certificate chain for the certification authority (CA). 2.Generate and publish new certificate revocation lists (CRLs). 3.Confirm the configured CRL distribution points. 4.If these steps do not resolve the problem, check the failed requests queue on the CA for information about why the request failed.Note:To perform the following procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority. Confirm the certificate chain for the CA 1.Confirm the certificate chain for the CA To validate the chain for the CA: 1.ClickStart, typemmc, and then press ENTER. 2.If theUser Account Control dialog box appears, confirm that the action it displays is what you want, and then clickContinue. 3.On theFile menu, click Add/Remove Snap-in, clickCertificates, and then click Add. 4.Click Computer account, and clickNext. 5.Select the computer hosting the CA, clickFinish, and then clickOK.6.Select each CA certificate in the certificate chain, and clickView Certificate. 7.Click theDetails tab, and clickCopy to File to start the Certificate Export Wizard. Save each certificate with a .cer extension. 8.Open a command prompt and run the following command on each CA certificate:certutil -urlfetch -verify 9.Use the same command with a certificate file for an end-entity (user or computer) certificate issued by the CA to confirm CRLs for the CA itself as well as its chain. 10.Resolve any problems identified in the command line output. 2.Generate and publish new CRLs If the command line output indicates that a CRL for a CA has expired, generate new base and delta CRLs on the CA and copy them to the required locations. You may need to restart an offline CA to do this. On the CA, check the current published CRL. By default, the CA creates CRLs in the folder %windir%\System32\CertSrv\CertEnroll. If the CRLs currently in this location have expired or are invalid, you can use the following procedure to publish a new CRL. To publish a new CRL by using the Certification Authority snap-in: 1.On the computer hosting the CA, clickStart, point to Administrative Tools, andclick Certification Authority. 2.Select the CA, and expand the folders below the CA name. 3.Right-click theRevoked Certificates folder. 4.ClickAll Tasks,and then clickPublish. Confirm configured CRL distribution points Check all configured CRL distribution points to confirm that publication was successful and that new CRLs are available on the network. To check the configured CRL distribution points by using the Certification Authority snap-in: 1.On the computer hosting the CA, clickStart, point to Administrative Tools, and clickCertification Authority. 2.Right-click the name of the CA, and clickProperties. 3.Click theExtensions tab. 4.Review the configured CRL distribution points to make sure the information is correct. To check the configured CRL distribution point URLs by using Certutil: 1.Open a command prompt window on the CA. 2.Type the following command: certutil -getreg ca\crlpublicationurls and press ENTER. |
| Reference Links | Event ID 3 from Source CertificationAuthority |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.