Problem
You’ve successfully completed the steps required to migrate your Microsoft CA (Certificate Authority) from Cryptographic Service Provider (CSP) to Key Storage Provider (KSP) after performing the steps outlined in the following TechNet guide:
Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)
https://technet.microsoft.com/en-us/library/dn771627.aspx
However, you receive the following error when you attempt to start the CA service:
keyset does not exist 0x80090016 certificate services
Reviewing the System logs shows that the following is logged:
Event ID: 7024
Level: Error
The Active Directory Certificate Services service terminated with the following service-specific error:
Keyset does not exist
Solution
While there could be various solutions to correct the issue, one of the method that worked for my situation was to launch the CA’s Local Computer store, navigate to Personal > Certificates, delete all of the imported CA certificates:
Then rerun step #5 in the TechNet article:
https://technet.microsoft.com/en-us/library/dn771627.aspx
Migrate the CA certificate and private key to a KSP:
a.Run the following command:
Certutil –csp <KSP name> -importpfx <Your CA cert/key PFX file>
For example: Certutil –csp “Microsoft Software Key Storage Provider” –importpfx c:\Backup\CorpSubCA.p12
Once the CA’s certificate along with their private keys are reimported, the CA service should now start.
No comments:
Post a Comment