1

i came across one DC, which gives me RPC errors when dealing with AD Certificate Service.I can see in AD there is 2 Root CA , one is problematic. Is it safe to remove it? Or is there a procedure for this ?

windows Server 2012 R2

Event "Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. company-PCZDC-CA Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)."

C:\Windows\system32>certutil -repairstore my "a5 89 64 42 4b 8e 36 96 75 98 ce 66 64 e8 de 78 dd f1 5b a6"

my "Personal"

================ Certificate 3 ================

Serial Number: 17ae4091a11c7e8e4dc3ed3fc72db75b

Issuer: CN=company-PCZDC-CA, DC=company, DC=komp

NotBefore: 10/4/2009 12:02 PM

NotAfter: 10/4/2019 12:12 PM

Subject: CN=company-PCZDC-CA, DC=company, DC=komp

Certificate Template Name (Certificate Type): CA

CA Version: V0.0

Signature matches Public Key

Root Certificate: Subject matches Issuer

Template: CA, Root Certification Authority

Cert Hash(sha1): a5 89 64 42 4b 8e 36 96 75 98 ce 66 64 e8 de 78 dd f1 5b a6

Key Container = company-PCZDC-CA

Provider = Microsoft Software Key Storage Provider

Missing stored keyset

Encryption test passed

CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808 NTE_PERM)

CertUtil: Access denied.

C:\Windows\system32>certutil -repairstore my "ba e3 ba 4c 08 d2 ed 60 08 3f 6e fe 41 18 b6 3e bd ab c8 d5"

my "Personal"

================ Certificate 2 ================

Serial Number: 485fd8c5f3feeb8a4e64ecd16a2dbd23

Issuer: CN=company-PCZDC-CA, DC=company, DC=komp

NotBefore: 2/6/2013 10:42 AM

NotAfter: 2/6/2023 10:52 AM

Subject: CN=company-PCZDC-CA, DC=company, DC=komp

Certificate Template Name (Certificate Type): CA

CA Version: V1.1

Signature matches Public Key

Root Certificate: Subject matches Issuer

Template: CA, Root Certification Authority

Cert Hash(sha1): ba e3 ba 4c 08 d2 ed 60 08 3f 6e fe 41 18 b6 3e bd ab c8 d5

Key Container = company-PCZDC-CA(1)

Unique container name: c73ffc950df279cee4509962d72c6d8b_725e2e58-6d5c-4cfd-bef2-9c66eb03b047

Provider = Microsoft Software Key Storage Provider

Private key is NOT plain text exportable

Signature test passed

CertUtil: -repairstore command completed successfully.

C:\Windows\system32>

Improve this question

1 Answer 1

Reset to default
-1

First, followed this: http://blogs.msdn.com/b/kaushal/archive/2012/10/07/error-hresult-0x80070520-when-adding-ssl-binding-in-iis.aspx

Then this: From https://technet.microsoft.com/en-us/library/cc759048(v=ws.10).aspx

certutil -addstore my certnew.cer

certutil -repairstore my "thumbprint"

Improve this answer
2
  • Welcome to ServerFault! In the future, please include the relevant bits from your linked post in the answer here. Should those links go dead, your answer will remain viable. Commented Nov 9, 2015 at 13:16
  • neither of these links are about certificate services, they are about IIS. Commented Dec 19, 2018 at 19:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.