Sunday, May 8, 2016

Unable to start Microsoft CA service after migrating from Cryptographic Service Provider (CSP) to Key Storage Provider (KSP)


You’ve successfully completed the steps required to migrate your Microsoft CA (Certificate Authority) from Cryptographic Service Provider (CSP) to Key Storage Provider (KSP) after performing the steps outlined in the following TechNet guide:

Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)

However, you receive the following error when you attempt to start the CA service:

keyset does not exist 0x80090016 certificate services

Reviewing the System logs shows that the following is logged:

Event ID: 7024
Level: Error

The Active Directory Certificate Services service terminated with the following service-specific error:

Keyset does not exist




While there could be various solutions to correct the issue, one of the method that worked for my situation was to launch the CA’s Local Computer store, navigate to Personal > Certificates, delete all of the imported CA certificates:


Then rerun step #5 in the TechNet article:

Migrate the CA certificate and private key to a KSP:

a.Run the following command:

Certutil –csp <KSP name> -importpfx <Your CA cert/key PFX file>

For example: Certutil –csp “Microsoft Software Key Storage Provider” –importpfx c:\Backup\CorpSubCA.p12

Once the CA’s certificate along with their private keys are reimported, the CA service should now start.

1 comment:

Unknown said...

It's really awesome post. Your blog is really useful for me. Keep update your blog.

Microsoft Server 2016 Migration
Microsoft Server 2016 Repair