Event ID - 85

Event Id85
SourceMicrosoft-Windows-CertificationAuthority
DescriptionActive Directory Certificate Services ignored key recovery certificate %1 because it could not be loaded. %2 %3
Event InformationAccording to Microsoft :
Cause
This event is logged when Active Directory Certificate Services ignored key recovery certificate.
Resolution
Identify and use a valid key recovery agent certificate
To resolve this issue, you need to identify why the key recovery agent certificate that is being used is unsuccessful. Generally a key recovery agent certificate becomes unusable when it has expired or was revoked.
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To examine the validity of the key recovery agent certificate:
1.On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
2.Right-click the certification authority (CA) name, and click Properties.
3.Click the Recovery Agents tab, and check whether the key recovery agent certificate whose index is listed in the event log has Expired or is Invalid. To check its validity, confirm its validity dates and that it contains the extended key usage (EKU) extension indicating that this certificate can be used for key recovery.
4.If a certificate has expired or is not valid, remove the invalid key recovery agent certificate and assign a new one. You may need to issue a new key recovery agent certificate before it can be registered with the CA.Verify
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To confirm that key archival and recovery is working properly:
1.On the computer hosting the CA, click Start, point to , and click Certification Authority.
2.In the console tree, right-click the name of the certification authority (CA), and then click Properties.
3.Click the Recovery Agents tab.
4.Confirm that all key recovery agent certificates are listed as Valid.
5.In the Certificate Templates container, confirm that an encryption certificate has the option Archive subject's encryption private key configured on the Request Handling tab.
6.Open the Certificates snap-in for a user account that has permissions to enroll for a certificate based on this certificate template.
7.In the console tree, right-click Personal, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard.
8.Enroll for a certificate based on the encryption template, and confirm that the enrollment completes successfully and no errors are reported.
9.When the enrollment is complete, open the Certification Authority snap-in.
10.In the console tree, click Issued Certificates.
11.Locate the entry for the certificate that was just issued, and add the Archived Key column to the snap-in display list.
12.Confirm that the word Yes appears in the Archived Key column for the certificate that was just issued.
Reference LinksEvent ID 85 from Source Microsoft-Windows-CertificationAuthority

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.