The certification authority startup event in the Security log always reports a usage count of zero for the signing key on a computer that is running Windows Server 2008 or Windows Server 2003

Article ID: 951721 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You have a computer that is running Windows Server 2008 or Windows Server 2003.
  • During certification authority setup, you set the EnableKeyCounting parameter to true by using the following entry in the Capolicy.inf file:
    EnableKeyCounting=1
  • You are using a cryptographic service provider (CSP) that supports key counting.
In this scenario, the CA startup event in the Security event log always reports a usage count of zero for the CA signing key.

For example, the startup events that are logged display the key count as follows.

Windows Server 2008

Event id: 4881
<Data Name="PrivateKeyUsageCount">0</Data>

Windows Server 2003

Event id: 784
Private Key Usage Count: 0

Back to the top | Give Feedback

CAUSE

This issue occurs because the certification authority service does not enable key counting on a key that is created after the CA is set up.
Back to the top | Give Feedback

RESOLUTION

To resolve this issue, create the key before you set up the certification authority. To do this on a computer that is running either Windows Server 2008 or Windows Server 2003, follow these steps:
  1. Create a private-public key pair, and then enable key counting by using the tools that are provided by the CSP vendor. Or, use Windows Cryptographic APIs.
  2. Install the CA by using the key that you created in step 1.

Windows Server 2003 only

On a computer that is running Windows Server 2003, you can also renew the CA certificate by using the new key after setup is complete. To do this, follow these steps:
  1. In the certification authority snap-in, right-click the CA_Name, click All Tasks, and then click Renew CA Certificate.
  2. Click Yes to stop the service.
  3. Click Yes to create the new private key, and then click OK.
Back to the top | Give Feedback

REFERENCES

For more information about how to use a Capolicy.inf file, visit the following Microsoft TechNet Web site:
http://technet2.microsoft.com/windowsserver/en/library/25127c1f-4880-4764-85e8-226ce41588881033.mspx?mfr=true
(http://technet2.microsoft.com/windowsserver/en/library/25127c1f-4880-4764-85e8-226ce41588881033.mspx?mfr=true)
Back to the top | Give Feedback

Properties

Article ID: 951721 - Last Review: April 28, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Keywords: 
kbsetup kbdigitalsignatures kbdigitalcertificates kbexpertiseadvanced kbprb kbtshoot KB951721
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top