I need to develop operational procedures to audit and understand why a specific request was rejected by an Active Directory Certificate Services (ADCS) Policy Module.
I've attempted turning on all logging (checkboxes) in the GUI, and checked the Eventlog. I only see one event log entry per failed request, however I don't have a clear way of determining what caused it to fail. An example of a failure is below:
Active Directory Certificate Services denied request 4 because The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE). The request was for CN=Issue01a, CN=Bits.com, OU=For email security, O=Bits LLC, C=US. Additional information: Denied by Policy Module
The above example is a sub-ca that intentionally had a validity period that would extend beyond the validity of the parent CA.
I'm hoping to derive that reason from the error code above, or some other location.
What I've done: Searching for the error "2146877435" in google, results in this very post being pulled up. None of the results on the first few pages are a list of error codes and reasons.
This link describes how to extract more logging from the certificate service. A restart may be required.
To enable debug logging for the native Windows CertEnroll client, execute the following command:
Certutil –setreg enroll\debug 0xffffffe3 The log file is in the following location: %windir%\CertEnroll.log
certutil –setreg ca\debug 0xffffffe3 The log file is in the following location: %windir%\certsrv.log
User contributions licensed under CC BY-SA 3.0