| Event Id | 127 |
| Source | Microsoft-Windows-CertificationAuthority |
| Description | Key recovery certificate %1 is about to expire and will not be used after it has expiration. Contact your adminstrator to renew this certificate. %2 %3 |
| Event Information | According to Microsoft : Cause This event is logged when Key recovery certificate %1 is about to expire and will not be used after it has expiration. Resolution Renew the key recovery agent certificate that is about to expire Key recovery agent certificates that expire can no longer be used for key recovery. In order to continue using key archival, renew the key recovery agent certificate. To perform this procedure, you must be the user who was enrolled for the key recovery agent certificate. To renew a key recovery agent certificate: 1.Click Start, type certmgr.msc, and press ENTER. 2.In the console tree, double-click Certificates, double-click Personal, and click Certificates. 3.Right-click the key recovery agent certificate, point to All Tasks, and click Renew Certificate with New Key or click Advanced Operations and Renew this certificate with the same key to start the Certificate Renewal Wizard. 4.Follow the steps in the wizard to renew the certificate. 5.On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority. 6.In the console tree, click the name of the CA. 7.On the Action menu, click Properties. 8.Click the Recovery Agents tab, and then click Archive the key. 10.In Key Recovery Agent Selection, click the key recovery certificates that are displayed, and click OK. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not loaded. 11.Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the certificates should be listed as Valid. Verify To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority. To confirm that key archival and recovery is working properly: 1.On the computer hosting the CA, click Start, point to 2.In the console tree, right-click the name of the certification authority (CA), and then click Properties. 3.Click the Recovery Agents tab. 4.Confirm that all key recovery agent certificates are listed as Valid. 5.In the Certificate Templates container, confirm that an encryption certificate has the option Archive subject's encryption private key configured on the Request Handling tab. 6.Open the Certificates snap-in for a user account that has permissions to enroll for a certificate based on this certificate template. 7.In the console tree, right-click Personal, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard. 8.Enroll for a certificate based on the encryption template, and confirm that the enrollment completes successfully and no errors are reported. 9.When the enrollment is complete, open the Certification Authority snap-in. 10.In the console tree, click Issued Certificates. 11.Locate the entry for the certificate that was just issued, and add the Archived Key column to the snap-in display list. 12.Confirm that the word Yes appears in the Archived Key column for the certificate that was just issued. |
| Reference Links | Event ID 127 from Source Microsoft-Windows-CertificationAuthority |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.