Microsoft KB Archive/822626

= &quot;Certificate Services did not start&quot; message appears in the Event log even though the Certificate Services component starts successfully =

Article ID: 822626

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 4

-





SYMPTOMS
On a Windows 2000 Service Pack 4 (SP4)-based server, you may notice events that are similar to the following in the application log of Event Viewer:

Event 1
Event Type: Information

Event Source: CertSvc

Event Category: None

Event ID: 42

Date:

Time:

User: N/A

Computer:

Description: Certificate Services did not start: Could not build CA certificate chain for. A certificate chain processed correctly, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487).

Event 2
Event Type: Information

Event Source: CertSvc

Event Category: None

Event ID: 58

Date:

Time:

User: N/A

Computer:

Description: Certificate Services did not start: A certificate in the CA certificate chain for  has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).

Event 3
Event Type: Warning

Event Source: CertSvc

Event Category: None

Event ID: 51

Date:

Time:

User: N/A

Computer:

Description: Certificate Services did not start: A certificate in the CA certificate chain for  has been revoked. 0x800B010C (-2146762484).

Event 4
Event Type: Information

Event Source: CertSvc

Event Category: None

Event ID: 26

Date:

Time:

User: N/A

Computer:

Description: Certificate Services for  was started.

The Certificate Services component starts successfully, but you do not expect it to start because some of these events contain the following message in the &quot;Description&quot; section:

Certificate Services did not start.



CAUSE
This behavior occurs because of changes to Certificate Services event logging that are introduced in Windows 2000 SP4.

In earlier versions of Windows 2000, no events are logged during the certification authority (CA) certificate chain-verification process. However, the HRESULT value and the event log Message ID (if any error is detected) for the current CA certificate chain are returned to a section of top-level code in Windows. If the top-level code detects that the current CA certificate is not valid, the returned event is logged, and it specifies the certificate problem together with the &quot;Certificate Services did not start&quot; message. The Certificate Services component does not start.

In Windows 2000 Server SP4, a specific event is logged for each invalid CA certificate chain during the CA certificate chain-verification process. The event messages that are used are the same as those that are used in Windows 2000 Service Pack 3 (SP3) when Certificate Services does not start successfully. However, if the current CA certificate chain is valid, Certificate Services starts successfully, even though events are logged for the invalid certificate chain (or chains).

In this scenario, the message text for the logged events is misleading. The &quot;Certificate Services did not start&quot; message in the &quot;Description&quot; section of the logged event appears because the same event text from the earlier versions of Windows 2000 is used. This message does not indicate a problem with the current certificate.

Note Although the specific message text that is associated with the logged events is also present in earlier versions of Windows 2000, this message is not displayed unless the current CA certificate chain is not valid.

Note The information in this article does not apply when the CA certificate is no longer valid.



WORKAROUND
To work around this problem, ignore the &quot;Certificate Services did not start&quot; portion of the event description for events that are logged during the CA certificate chain-verification process.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

