Enable debug level for the AD CS Certification Authority
The error messages an AD CS Certification Authority displays are often not very useful. Errors, for instance, when trying to start the Certificate Services are sometimes generic and make troubleshooting difficult.
One option to get additional information regarding the problem is to set the CA to debug level. This can be achieved running the following command:
certutil -setreg ca\debug 0xffffffe3
When restarted, a debug log file is written to %windir%\certsrv.log , with its content being something like:
========================================================================
Opened Log: 21.11.2023 00:23 38.237s
GMT + 1,00
certca.dll: 6.3:9600.17415 retail
certsrv.exe: 6.3:9600.21062 retail
503.1945.0:<2023/11/21, 0:23:38>: 0x0 (WIN32: 0)
508.1341.0:<2023/11/21, 0:23:38>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND): DBMaxReadSessionCount
513.17174.0:<2023/11/21, 0:23:38>: 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND): CAExchange
508.1734.0:<2023/11/21, 0:23:38>: 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
437.625.0:<2023/11/21, 0:23:38>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): EnabledEKUForDefinedCACert
429.2691.0:<2023/11/21, 0:23:38>: 0x32 (WIN32: 50 ERROR_NOT_SUPPORTED): 00000005: SecErr: DSID-03152DB2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
805.1279.0:<2023/11/21, 0:23:38>: 0x32 (WIN32: 50 ERROR_NOT_SUPPORTED)
409.688.0:<2023/11/21, 0:23:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
409.339.0:<2023/11/21, 0:23:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
508.2025.0:<2023/11/21, 0:23:38>: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
437.625.0:<2023/11/21, 0:23:38>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): OfficerRights
437.625.0:<2023/11/21, 0:23:38>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): EnrollmentAgentRights
437.625.0:<2023/11/21, 0:23:38>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): RoleSeparationEnabled
CertSrv: Opening Database E:\CertLog\Denetarik Root CA.edb
CertSrv: Database open
420.385.0:<2023/11/21, 0:39:4>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
419.6336.0:<2023/11/21, 0:39:4>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.2132.0:<2023/11/21, 0:39:4>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
452.627.0:<2023/11/21, 0:39:4>: 0xc0000225 (NT: 0xc0000225 STATUS_NOT_FOUND): nCipher Security World Key Storage Provider
513.753.0:<2023/11/21, 0:39:4>: 0xc0000225 (NT: 0xc0000225 STATUS_NOT_FOUND)
Not to say the output is easy to follow, but troubleshooting can always do with a bit more information.
Once the relevant information has been collected on the debug file, the flag can be disabled running:
certutil -delreg ca\debug
Comments
Post a Comment