Active Directory Certificate Services won't start - error 100

3

I've migrated my Active Directory Certificate services Enterprise CA to a new server (and from Windows 2003 R2 x86 to Windows 2008 R2 x64). I have been having problems with checking the Certificate Revocation Lists, but I've republished the revocation lists from the Root CA and when I run certutil -urlfetch -verify I don't get any errors any more:

Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

But I still get the same errors when I try to start the CA. I get the following pop-up:

Microsoft Active Directory Certificate Services
---------------------------
The system cannot find the file specified. 0x2 (WIN32: 2)

The policy module for a CA is missing or incorrectly registered. To view or change
policy module settings, right-click on the CA, click Properties, and then click the
Policy Module tab.
---------------------------
OK   

and I get the following error in the log:

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Date:          26/06/2012 15:59:45
Event ID:      100
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      SRV112.cobbsch.cobbetts.co.uk
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  Cobbetts LLP Enterprise CA The system cannot find the file specified. 0x80070002 (WIN32: 2).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
    <EventID Qualifiers="49754">100</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-06-26T14:59:45.000000000Z" />
    <EventRecordID>852</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>SRV112.cobbsch.cobbetts.co.uk</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="MSG_E_CA_CERT_INVALID">
    <Data Name="CACommonName">Cobbetts LLP Enterprise CA</Data>
    <Data Name="ErrorCode">The system cannot find the file specified. 0x80070002 (WIN32: 2)</Data>
  </EventData>
</Event>

Microsoft have documentation for this error: http://technet.microsoft.com/en-us/library/cc774550(v=ws.10).aspx

But the documentation just talks about the CA chain not verifying, which it now is.

I was wondering if it was some sort of a cached failure, or a cached copy of an incorrect CRL (I migrated the root CA earlier on and had to republish the CRL before certutil would verify properly), so I tried a reboot to flush out the caches.

That didn't change anything.

I've also tried running Certutil as SYSTEM to see if there was a permissions issue and that didn't solve the problem either.

[To run as system: run psexec -i -s cmd.exe from an elevated command prompt and it will launch a command prompt as system. You can run whoami to check.]

windows-server-2008-r2
ad-certificate-services
asked on Server Fault Jun 26, 2012 by Richard Gadsden

5 Answers

2

I resolved this issue with Microsoft support, but I didn't really understand what they did to resolve it.

Dug up the Microsoft support notes, in the hope these are useful to someone:

  1. We found CRL in certenroll folder were missing to validate revocation status from root CA.
  2. We copied CRL from Intermediate CA to Issuing Sub-CA but still got error.
  3. As per debug team Engineer we removed and reinstall ADCS roles but it did not helped.
  4. Finally we found under HKLM\system\CurrentControlSet\Services\Certsvc\Configuration registry CertHash had older values for expired certificates.
  5. Removed the older values of hashes and replaced them with (–) signs and started Certificate service.
  6. Certificate Service Started Successfully.
answered on Server Fault Jul 29, 2012 by Richard Gadsden • edited Jan 24, 2014 by Richard Gadsden
2

I had the same error. I was using a Hardware Security Module from nCipher. ADCS wasn't able to access its private key. It seems like when starting the ADCS service, it makes some test among those checking the private key. So, I configured my HSM accordingly. Now it works!!!

answered on Server Fault Nov 7, 2012 by odi9
2

I recently did a 2003 to 2012 R2 migration and had the same exact issue you describe. The CA would restore and start fine until I imported the registry backup from the old CA.

After a call with Microsoft and several hours troubleshooting we came across the solution. I did not find this page during any of my googling but here it is:

Certificate Server Service does not start and you receive the error: The Data is invalid. 0xd (Win32:13) on a Windows 2003 based certificate authority

Basically there is an expired cert or a cert missing the private key in the CAcerthash registry key. In my case it was an expired cert.

In order to resolve the issue

  1. Open up the certificate in mmc and select computer.

  2. Open the personal certificate store.

  3. Look for certificates that either display no private key icon or that have an expiration date that has passed.

  4. Open the certificate and take note of the thumbprint in the details pain. You will need to match this up to the thumbprints present in your CAcerthash registry.

  5. Once you have your thumbprints check the CA certhash registry for the missing or expired cert thumbprint and replace the thumbprint values with the minus sign -

  6. Save the registry key and attempt to start the certificate authority.

This worked for me so hopefully someone else finds this helpful.

answered on Server Fault Mar 29, 2017 by Joe • edited Apr 1, 2017 by Esa Jokinen
0

This error can occur if you changed the OS SKU. E.g. went from 2003 Enterprise to 2008 R2 Standard edition. You dont mention the SKU along with OS details.

Assuming that was not the case, then to troubleshoot this you will need to gather the following

  1. a procmon (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) of the service startup along with
  2. a registry dump HKLM\system\currentcontrolset\certsvc and
  3. a certsvc debug log. "certutil -setreg ca\debug 0xffffffe3" will enable the debug log in %SystemRoot%\Certsrv.log

enable the debug log, start procmon and attempt to start the service. Stop the procmon when service startup fails.

If you share them out somewhere, I can have a look.

answered on Server Fault Jul 21, 2012 by maweeras
0

I ran into a similar issue with a subordinate CA that was upgraded from Windows 2008 R2 to 2012 R2. Fortunately I had just built a new root CA with Server 2012 R2 that I could match up registry settings with. It turned out that some values in the HKLM\system\CurrentControlSet\Services\CertSvc\Configuration\\CSP key of the upgraded computer didn't match up with the 2012 R2 computer. Specifically, "CNGPublicKeyAlgorithm = RSA" was missing, "Provider" needed changed to "Microsoft Software Key Storage Provider" and "ProviderType" need changed from 1 to 0. After making those changes, Certificate Services was able to start without error.

answered on Server Fault Nov 12, 2015 by brandon

User contributions licensed under CC BY-SA 3.0