The certification authority startup event in the Security log always reports a usage count of zero for the signing key on a computer that is running Windows Server 2008 or Windows Server 2003

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
Consider the following scenario:
  • You have a computer that is running Windows Server 2008 or Windows Server 2003.
  • During certification authority setup, you set the EnableKeyCounting parameter to true by using the following entry in the Capolicy.inf file:
    EnableKeyCounting=1
  • You are using a cryptographic service provider (CSP) that supports key counting.
In this scenario, the CA startup event in the Security event log always reports a usage count of zero for the CA signing key.

For example, the startup events that are logged display the key count as follows.

Windows Server 2008

Event id: 4881
<Data Name="PrivateKeyUsageCount">0</Data>

Windows Server 2003

Event id: 784
Private Key Usage Count: 0

CAUSE
This issue occurs because the certification authority service does not enable key counting on a key that is created after the CA is set up.
RESOLUTION
To resolve this issue, create the key before you set up the certification authority. To do this on a computer that is running either Windows Server 2008 or Windows Server 2003, follow these steps:
  1. Create a private-public key pair, and then enable key counting by using the tools that are provided by the CSP vendor. Or, use Windows Cryptographic APIs.
  2. Install the CA by using the key that you created in step 1.

Windows Server 2003 only

On a computer that is running Windows Server 2003, you can also renew the CA certificate by using the new key after setup is complete.To do this, follow these steps:
  1. In the certification authority snap-in, right-click the CA_Name, click All Tasks, and then click Renew CA Certificate.
  2. Click Yes to stop the service.
  3. Click Yes to create the new private key, and then click OK.
REFERENCES
For more information about how to use a Capolicy.inf file, visit the following Microsoft TechNet Web site:
crypto
Properties

Article ID: 951721 - Last Review: 01/15/2015 18:56:01 - Revision: 1.0

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • kbnosurvey kbarchive kbsetup kbdigitalsignatures kbdigitalcertificates kbexpertiseadvanced kbprb kbtshoot KB951721
Feedback