Share via


AD CS not configured for Revocation checking of all certificates

Recently the SCOM server (One of your best friends on the network) started reporting the error "AD CS not configured for Revocation checking of all certificates", SCOM reported Event 128 as a warning

Event 128 is normally reported when someone try to use Certificate Request with all time-valid CA certificates to request a certificate. However y default CA doesn't support such request and event 128 gets reported.

After checking this issue and consulting Microsoft tech support, this issue will normally occur only after renewal of CA certificate. When the CA certificate is renewed, the OCSP Response signing certificate used for validation of existing certificates must still be signed by the CA certificate that was used to issue the existing certificates and new CA certificate. However by default CA doesn't support the renewal of OCSP Response signing certificate by using a previous CA certificate.

This issue/behavior can be fixed as follows:

  1. From elevated CMD run the certutil -setreg ca\UseDefinedCACertInRequest 1
  2. Restart the CA services

This command will enable the CA support for certificate request signed by old certificate. If the OCSP is not renewed, you need to go ahead and renew it as per the following articles

http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-pki-ca-certificate-renewals-and-ocsp.aspx

http://technet.microsoft.com/en-us/library/cc770413(WS.10).aspx

For other PKI issues, please check http://itcalls.blogspot.com/