Problematic Active Directory CA certificate

1

i came across one DC, which gives me RPC errors when dealing with AD Certificate Service.I can see in AD there is 2 Root CA , one is problematic. Is it safe to remove it? Or is there a procedure for this ?

windows Server 2012 R2

Event "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. company-PCZDC-CA Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)."

C:\Windows\system32>certutil -repairstore my "a5 89 64 42 4b 8e 36 96 75 98 ce 66 64 e8 de 78 dd f1 5b a6"

my "Personal"

================ Certificate 3 ================

Serial Number: 17ae4091a11c7e8e4dc3ed3fc72db75b

Issuer: CN=company-PCZDC-CA, DC=company, DC=komp

NotBefore: 10/4/2009 12:02 PM

NotAfter: 10/4/2019 12:12 PM

Subject: CN=company-PCZDC-CA, DC=company, DC=komp

Certificate Template Name (Certificate Type): CA

CA Version: V0.0

Signature matches Public Key

Root Certificate: Subject matches Issuer

Template: CA, Root Certification Authority

Cert Hash(sha1): a5 89 64 42 4b 8e 36 96 75 98 ce 66 64 e8 de 78 dd f1 5b a6

Key Container = company-PCZDC-CA

Provider = Microsoft Software Key Storage Provider

Missing stored keyset

Encryption test passed

CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808 NTE_PERM)

CertUtil: Access denied.

C:\Windows\system32>certutil -repairstore my "ba e3 ba 4c 08 d2 ed 60 08 3f 6e fe 41 18 b6 3e bd ab c8 d5"

my "Personal"

================ Certificate 2 ================

Serial Number: 485fd8c5f3feeb8a4e64ecd16a2dbd23

Issuer: CN=company-PCZDC-CA, DC=company, DC=komp

NotBefore: 2/6/2013 10:42 AM

NotAfter: 2/6/2023 10:52 AM

Subject: CN=company-PCZDC-CA, DC=company, DC=komp

Certificate Template Name (Certificate Type): CA

CA Version: V1.1

Signature matches Public Key

Root Certificate: Subject matches Issuer

Template: CA, Root Certification Authority

Cert Hash(sha1): ba e3 ba 4c 08 d2 ed 60 08 3f 6e fe 41 18 b6 3e bd ab c8 d5

Key Container = company-PCZDC-CA(1)

Unique container name: c73ffc950df279cee4509962d72c6d8b_725e2e58-6d5c-4cfd-bef2-9c66eb03b047

Provider = Microsoft Software Key Storage Provider

Private key is NOT plain text exportable

Signature test passed

CertUtil: -repairstore command completed successfully.

C:\Windows\system32>

active-directory
windows-server-2012-r2
ad-certificate-services
asked on Server Fault Jan 26, 2015 by user122348 • edited Sep 28, 2016 by dmourati

1 Answer

-1

First, followed this: http://blogs.msdn.com/b/kaushal/archive/2012/10/07/error-hresult-0x80070520-when-adding-ssl-binding-in-iis.aspx

Then this: From https://technet.microsoft.com/en-us/library/cc759048(v=ws.10).aspx

certutil -addstore my certnew.cer

certutil -repairstore my "thumbprint"

answered on Server Fault Nov 6, 2015 by user320754

User contributions licensed under CC BY-SA 3.0