Sunday, May 8, 2016

Unable to start Microsoft CA service after migrating from Cryptographic Service Provider (CSP) to Key Storage Provider (KSP)

Problem

You’ve successfully completed the steps required to migrate your Microsoft CA (Certificate Authority) from Cryptographic Service Provider (CSP) to Key Storage Provider (KSP) after performing the steps outlined in the following TechNet guide:

Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)
https://technet.microsoft.com/en-us/library/dn771627.aspx

However, you receive the following error when you attempt to start the CA service:

keyset does not exist 0x80090016 certificate services

Reviewing the System logs shows that the following is logged:

Event ID: 7024
Level: Error

The Active Directory Certificate Services service terminated with the following service-specific error:

Keyset does not exist

image

image

Solution

While there could be various solutions to correct the issue, one of the method that worked for my situation was to launch the CA’s Local Computer store, navigate to Personal > Certificates, delete all of the imported CA certificates:

image

Then rerun step #5 in the TechNet article:

https://technet.microsoft.com/en-us/library/dn771627.aspx

Migrate the CA certificate and private key to a KSP:

a.Run the following command:

Certutil –csp <KSP name> -importpfx <Your CA cert/key PFX file>

For example: Certutil –csp “Microsoft Software Key Storage Provider” –importpfx c:\Backup\CorpSubCA.p12

Once the CA’s certificate along with their private keys are reimported, the CA service should now start.

No comments: