The certification authority startup event in the Security log always reports a usage count of zero for the signing key on a computer that is running Windows Server 2008 or Windows Server 2003

Consider the following scenario:

• You have a computer that is running Windows Server 2008 or Windows Server 2003.
• During certification authority setup, you set the EnableKeyCounting parameter to true by using the following entry in the Capolicy.inf file:
  EnableKeyCounting=1
• You are using a cryptographic service provider (CSP) that supports key counting.

In this scenario, the CA startup event in the Security event log always reports a usage count of zero for the CA signing key.

For example, the startup events that are logged display the key count as follows.

Windows Server 2008

Event id: 4881
<Data Name="PrivateKeyUsageCount">0</Data>

Windows Server 2003

Event id: 784
Private Key Usage Count: 0

This issue occurs because the certification authority service does not enable key counting on a key that is created after the CA is set up.

To resolve this issue, create the key before you set up the certification authority. To do this on a computer that is running either Windows Server 2008 or Windows Server 2003, follow these steps:

1. Create a private-public key pair, and then enable key counting by using the tools that are provided by the CSP vendor. Or, use Windows Cryptographic APIs.
2. Install the CA by using the key that you created in step 1.

Windows Server 2003 only

On a computer that is running Windows Server 2003, you can also renew the CA certificate by using the new key after setup is complete. To do this, follow these steps:

1. In the certification authority snap-in, right-click the CA_Name, click All Tasks, and then click Renew CA Certificate.
2. Click Yes to stop the service.
3. Click Yes to create the new private key, and then click OK.

For more information about how to use a Capolicy.inf file, visit the following Microsoft TechNet Web site: