Event Id | 83 |
Source | Microsoft-Windows-CertificationAuthority |
Description | Active Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. %1 |
Event Information | According to Microsoft : Cause This event is logged when Active Directory Certificate Services encountered an error loading key recovery certificates. Resolution Configure the correct number of key recovery agent certificates Ensure that the correct number of valid key recovery agent certificates are available to the certification authority (CA). The number of key recovery agent certificates that are needed is set on the Recovery Agents tab in the Certification Authority snap-in. To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority. To identify specific problems with key recovery agent certificates: 1.On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority. 2.Right-click the CA name, and click Properties. 3.Click the Recovery Agents tab. 4.Check the status column for the key recovery agent certificates. If one or more certificates is identified as Expired or Invalid, remove the expired or invalid key recovery agent certificates and enroll and assign new certificates. 5.If you do not find any problems with any of these certificates, export each certificate to a .cer file, open a command prompt window, and run the following command against each file to check validity and revocation status: certutil -verify and press ENTER. 6.As an alternative, if you have fewer valid key recovery agent certificates than are specified, you can also go to the Recovery Agents tab and reduce the number of key recovery agents that are needed. Verify To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority. To confirm that key archival and recovery is working properly: 1.On the computer hosting the CA, click Start, point to 2.In the console tree, right-click the name of the certification authority (CA), and then click Properties. 3.Click the Recovery Agents tab. 4.Confirm that all key recovery agent certificates are listed as Valid. 5.In the Certificate Templates container, confirm that an encryption certificate has the option Archive subject's encryption private key configured on the Request Handling tab. 6.Open the Certificates snap-in for a user account that has permissions to enroll for a certificate based on this certificate template. 7.In the console tree, right-click Personal, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard. 8.Enroll for a certificate based on the encryption template, and confirm that the enrollment completes successfully and no errors are reported. 9.When the enrollment is complete, open the Certification Authority snap-in. 10.In the console tree, click Issued Certificates. 11.Locate the entry for the certificate that was just issued, and add the Archived Key column to the snap-in display list. 12.Confirm that the word Yes appears in the Archived Key column for the certificate that was just issued. |
Reference Links | Event ID 83 from Source Microsoft-Windows-CertificationAuthority |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.