AD CS Certificate Request (Enrollment) Processing
Applies To: Windows Server 2008
One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-CertificationAuthority |
The certificate request failed. | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services denied request %1 because %2. The request was for %3. | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services was unable to build a new certificate or certificate chain: %1. | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. Additional information: %4 | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. The certificate would contain an encoded length that is potentially incompatible with older enrollment software. Submit a new request using different length input data for the following field: %4 | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services denied request %1 because %2. The request was for %3. Additional information: %4 | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services denied request %1. The request was for %2. | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services denied request %1. The request was for %2. Additional information: %3 | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services could not publish a certificate for request %1 to the following location: %2. %3.%5%6 | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services could not publish a certificate for request %1 to the following location on server %4: %2. %3.%5%6 | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services %1 will reduce the maximum lifetime of the issued certificate for request %2 because the lifetime of the CA certificate is shorter than the validity period set in the registry. Consider renewing the CA certificate or reducing the validity period in the registry. | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services could not delete a certificate for request %1 from the following location: %2. %3.%5%6 | |
Microsoft-Windows-CertificationAuthority |
Active Directory Certificate Services could not delete a certificate for request %1 from the following location on server %4: %2. %3.%5%6 | |
Microsoft-Windows-CertificationAuthority |
An Authority Key Identifier was passed as part of the certificate request %1. This feature has not been enabled. To enable a CA key to be specified for certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1" and then restart the service. | |
Microsoft-Windows-CertificationAuthority |
The certification authority (CA) was unable to perform a decryption operation. This error can occur when an advanced encryption algorithm such as Advanced Encryption Standard (AES) is used and the CA has not been configured to use a CryptoAPI Next Generation (CNG) key storage provider. If this error occurred during certificate enrollment, check the certificate template to confirm that advanced encryption for key archival is not enabled. |