| Event Id | 99 |
| Source | Microsoft-Windows-CertificationAuthority |
| Description | Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. %2. %3. |
| Event Information | According to Microsoft : Cause This event is logged Active Directory Certificate Services could not create cross certificate to certify its own root certificates. Resolution Create a missing cross-CA certificate When a root certification authority (CA) certificate is renewed with a new key, the CA automatically generates cross-certificates between the old and new CA certificates. If a cryptographic failure occurred while the cross-certificate was being signed, you may be able to resolve the issue by correcting the extension conflict. Otherwise, enable CryptoAPI 2.0 Diagnostics to gather additional troubleshooting information. To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority. 1.Resolve an extension conflict To resolve an extension conflict: 1.Click Start, type mmc, and then press ENTER. 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 3.On the 4.Click Computer account, and then click Next. 5.Select the computer hosting the CA, click Finish, and then click OK. 6.Click the Details tab, and click Show: Extensions only. 7.Double-click the previous CA certificate, and view the configured extensions for this certificate. 8.Compare the extensions in the latest CA certificate to the extensions in the previous CA certificate. 9.Correct any mismatch between extensions by reconfiguring the certificate request and submitting a new certificate request. Enable CryptoAPI 2.0 Diagnostics 2.To enable CryptoAPI 2.0 Diagnostics: 1.On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer. 2.In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2. 3.Right-click Operational, and click Enable Log. 4.Click Start, point to Administrative Tools, and click Services. 5.Right-click Active Directory Certificate Services, and click Restart. 6.Look for any CA certificate verification or chaining errors. Resolve any errors, and then restart the CA again. If the the extensions are correct and CA certificate verification and chaining are correct, the missing cross-CA certificates should be generated automatically when the CA restarts. Verify To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority. To verify that the certification authority (CA) is able to create a cross-certificate to certify its own certificate during CA certificate renewal: 1.On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority. 2.In the console tree, click the name of the CA. 3.On the Action menu, point to All Tasks, and click Renew CA Certificate to start the Certificate Renewal Wizard. 4.Open the Certificates snap-in on the computer, and double-click the CA certificate. 6.Double-click the previous CA certificate, and view the configured extensions for this certificate. 7.Compare the extensions in the latest CA certificate to the extensions in the previous CA certificate to confirm that they match. |
| Reference Links | Event ID 99 from Source Microsoft-Windows-CertificationAuthority |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.