"Certificate Services did not start" message appears in the Event log even though the Certificate Services component starts successfully


On a Windows 2000 Service Pack 4 (SP4)-based server, you may notice events that are similar to the following in the application log of Event Viewer:

Event 1

Event 2

Event 3

Event 4

The Certificate Services component starts successfully, but you do not expect it to start because some of these events contain the following message in the "Description" section:
Certificate Services did not start.


This behavior occurs because of changes to Certificate Services event logging that are introduced in Windows 2000 SP4.

In earlier versions of Windows 2000, no events are logged during the certification authority (CA) certificate chain-verification process. However, the HRESULT value and the event log Message ID (if any error is detected) for the current CA certificate chain are returned to a section of top-level code in Windows. If the top-level code detects that the current CA certificate is not valid, the returned event is logged, and it specifies the certificate problem together with the "Certificate Services did not start" message. The Certificate Services component does not start.

In Windows 2000 Server SP4, a specific event is logged for each invalid CA certificate chain during the CA certificate chain-verification process. The event messages that are used are the same as those that are used in Windows 2000 Service Pack 3 (SP3) when Certificate Services does not start successfully. However, if the current CA certificate chain is valid, Certificate Services starts successfully, even though events are logged for the invalid certificate chain (or chains).

In this scenario, the message text for the logged events is misleading. The "Certificate Services did not start" message in the "Description" section of the logged event appears because the same event text from the earlier versions of Windows 2000 is used. This message does not indicate a problem with the current certificate.

Note Although the specific message text that is associated with the logged events is also present in earlier versions of Windows 2000, this message is not displayed unless the current CA certificate chain is not valid.

Note The information in this article does not apply when the CA certificate is no longer valid.


To work around this problem, ignore the "Certificate Services did not start" portion of the event description for events that are logged during the CA certificate chain-verification process.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


289213 Renewal of CA Certificate resets security and policy settings to default


ID do Artigo: 822626 - Última Revisão: 30 de out de 2006 - Revisão: 1