| Event Id | 42 |
| Source | Microsoft-Windows-CertificationAuthority |
| Description | A certificate chain could not be built for CA certificate %3 for %1. %2. |
| Event Information | authority (CA) certificate is accessible in order for certificate chain validation to take place. You can resolve problems associated with locating a valid CA certificate by confirming that: 1.A valid CA certificate is available on the computer hosting the CA. 2.A valid CA certificate exists in the AIA container. 3.The CA certificate chain can be validated. 4.If a certificate revocation list (CRL) for a CA in the chain has expired, a new CRL is generated. Note: To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority. Confirm that a valid CA certificate exists on the computer hosting the CA To confirm that a valid CA certificate is available on the computer hosting the CA: 1.ClickStart, typemmc, and then press ENTER. 2.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then clickContinue. 3.On theFile menu, clickAdd/Remove Snap-in, clickCertificates, and then clickAdd. 4.Click Computer account, and clickNext.5.ClickFinish, and then clickOK. 6.In the console tree, clickCertificates (Local Computer), and then clickPersonal. 7.Confirm that a CA certificate that has not expired exists in this store. Confirm that a valid CA certificate exists in the AIA container To confirm that a valid CA certificate exists in the AIA container: 1.ClickStart, point toAdministrative Tools, and clickActive Directory Sites and Services. 2.Click Active Directory Sites and Services [domainname]. 3.On theView menu, clickShow Services Node. 4.Double-click Services,, double-click Public Key Services, and clickAIA. 5.Confirm that a CA certificate that has not expired exists in the AIA container. Validate the CA certificate chain To validate a CA certificate chain: 1.Open a command prompt window. 2.Typecertutil -urlfetch -verify on the CA certificate, and press ENTER. 3.Confirm that the AIA container and CRL distribution point network locations are available, that all certificates in the chain are valid and not revoked, and that valid CRLs are available. 4.If the AIA or CRL distribution point locations are not available, identify and resolve the problem that is preventing them from being accessed. 5.If any certificates in the chain have expired or been revoked, renew these certificates. If a CA certificate needs to be reissued, all certificates under this certificate in the chain will need to be reissued. 6.If a CRL for a CA in the chain has expired, generate new base and delta CRLs on this CA and copy them to the required locations. 7.If the CA is offline, you may need to restart it. Check and publish CRLs To check and, if necessary, publish new CRLs: 1.On the CA that is the source of the problem, check the current published CRL, which by default is created in the folder %windir%\System32\CertSrv\CertEnroll. 2.If the CRLs currently in this location have expired or are invalid, open a command prompt window, typecertutil -CRL and press ENTER to publish a new CRL. To generate new base and delta CRLs: 1.On the computer hosting the CA, clickStart, point toAdministrative Tools, and selectCertification Authority. 2.In the console tree, clickRevoked Certificates. 3.On theAction menu, point toAll Tasks, and click Publish. 4.Select New CRL to overwrite the previously published CRL, or selectDelta CRL only to publish a current delta CRL. To create a CRL by using the Certutil command-line tool: 1.On the computer hosting the CA, clickStart, type cmd and press ENTER. 2.Typecertutil -CRL and press ENTER. To publish CRLs to AD DS by using the Certutil command-line tool: 1.Open a command prompt window. 2.Type certutil -dspublish " Replace crlname.crl with the name of your CRL file, CA name and CA hostname with your CA name and the name of the host on which that CA runs, and contoso and com with the namespace of your Active Directory domain. |
| Reference Links | Event ID 42 from Source CertificationAuthority |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.