Event ID - 31

Event Id31
SourceMicrosoft-Windows-CertificationAuthority
DescriptionActive Directory Certificate Services did not start: The chain of Certification Authority certificates is not properly configured.
Event Informationstart.
Resolution :
Load and confirm a valid CA certificate and chain
You need to confirm that a valid certification authority (CA) certificate is accessible in order for certificate chain validation to take place. You can resolve problems associated with locating a valid CA certificate by confirming that:
1.A valid CA certificate is available on the computer hosting the CA.
2.A valid CA certificate exists in the AIA container.
3.The CA certificate chain can be validated.
4.If a certificate revocation list (CRL) for a CA in the chain has expired, a new CRL is generated.
Note:
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Confirm that a valid CA certificate exists on the computer hosting the CA
To confirm that a valid CA certificate is available on the computer hosting the CA:
1.ClickStart, typemmc, and then press ENTER.
2.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then clickContinue.
3.On theFile menu, clickAdd/Remove Snap-in, clickCertificates, and then clickAdd.
4.ClickComputer account, and clickNext.
5.ClickFinish, and then clickOK.
6.In the console tree, clickCertificates (Local Computer), and then clickPersonal.
7.Confirm that a CA certificate that has not expired exists in this store.
Confirm that a valid CA certificate exists in the AIA container
To confirm that a valid CA certificate exists in the AIA container:
1.ClickStart, point to Administrative Tools, and clickActive Directory Sites and Services.
2.Click Active Directory Sites and Services [domainname].
3.On theView menu, clickShow Services Node.
4.Double-clickServices, double-click Public Key Services, and clickAIA.
5.Confirm that a CA certificate that has not expired exists in the AIA container.
Validate the CA certificate chain
To validate a CA certificate chain:
1.Open a command prompt window.
2.Type certutil -urlfetch -verify on the CA certificate, and press ENTER.
3.Confirm that the AIA container and CRL distribution point network locations are available, that all certificates in the chain are valid and not revoked, and that valid CRLs are available.
4.If the AIA or CRL distribution point locations are not available, identify and resolve the problem that is preventing them from being accessed.
5.If any certificates in the chain have expired or been revoked, renew these certificates. If a CA certificate needs to be reissued, all certificates under this certificate in the chain will need to be reissued.
6.If a CRL for a CA in the chain has expired, generate new base and delta CRLs on this CA and copy them to the required locations.
7.If the CA is offline, you may need to restart it.
Check and publish CRLs
To check and, if necessary, publish new CRLs:
1.On the CA that is the source of the problem, check the current published CRL, which by default is created in the folder %windir%\System32\CertSrv\CertEnroll.
2.If the CRLs currently in this location have expired or are invalid, open a command prompt window, typecertutil -CRL and press ENTER to publish a new CRL.
1.On the computer hosting the CA, clickStart, point toAdministrative Tools, and selectCertification Authority.
2.In the console tree, click Revoked Certificates.
3.On theActionmenu, point toAll Tasks, and clickPublish.
4.SelectNew CRLto overwrite the previously published CRL, or selectDelta CRL only to publish a current delta CRL.
To create a CRL by using the Certutil command-line tool:
1.On the computer hosting the CA, clickStart, typecmd and press ENTER.
2.Type certutil -CRL and press ENTER.
To publish CRLs to AD DS by using the Certutil command-line tool:
1.Open a command prompt window.
2.Typecertutil -dspublish "" ldap:///CN=,CN=,CN=CDP,CN=Public Key Services,CN=Ser vices,CN=Configuration,DC=,DC=?certificateRevocationList?base?objectClass=cRLDistributionPoint and press ENTER.
Replace crlname.crl with the name of your CRL file, CA name and CA hostname with your CA name and the name of the host on which that CA runs, and contoso and com with the namespace of your Active Directory domain.
Reference LinksEvent ID 31 from Source CertificationAuthority

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.