I've migrated my Active Directory Certificate services Enterprise CA to a new server (and from Windows 2003 R2 x86 to Windows 2008 R2 x64). I have been having problems with checking the Certificate Revocation Lists, but I've republished the revocation lists from the Root CA and when I run certutil -urlfetch -verify I don't get any errors any more:
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
But I still get the same errors when I try to start the CA. I get the following pop-up:
Microsoft Active Directory Certificate Services
---------------------------
The system cannot find the file specified. 0x2 (WIN32: 2)
The policy module for a CA is missing or incorrectly registered. To view or change
policy module settings, right-click on the CA, click Properties, and then click the
Policy Module tab.
---------------------------
OK
and I get the following error in the log:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 26/06/2012 15:59:45
Event ID: 100
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: SRV112.cobbsch.cobbetts.co.uk
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. Cobbetts LLP Enterprise CA The system cannot find the file specified. 0x80070002 (WIN32: 2).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
<EventID Qualifiers="49754">100</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-06-26T14:59:45.000000000Z" />
<EventRecordID>852</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>SRV112.cobbsch.cobbetts.co.uk</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_CA_CERT_INVALID">
<Data Name="CACommonName">Cobbetts LLP Enterprise CA</Data>
<Data Name="ErrorCode">The system cannot find the file specified. 0x80070002 (WIN32: 2)</Data>
</EventData>
</Event>
Microsoft have documentation for this error: http://technet.microsoft.com/en-us/library/cc774550(v=ws.10).aspx
But the documentation just talks about the CA chain not verifying, which it now is.
I was wondering if it was some sort of a cached failure, or a cached copy of an incorrect CRL (I migrated the root CA earlier on and had to republish the CRL before certutil would verify properly), so I tried a reboot to flush out the caches.
That didn't change anything.
I've also tried running Certutil as SYSTEM to see if there was a permissions issue and that didn't solve the problem either.
[To run as system: run psexec -i -s cmd.exe from an elevated command prompt and it will launch a command prompt as system. You can run whoami to check.]
I resolved this issue with Microsoft support, but I didn't really understand what they did to resolve it.
Dug up the Microsoft support notes, in the hope these are useful to someone:
I had the same error. I was using a Hardware Security Module from nCipher. ADCS wasn't able to access its private key. It seems like when starting the ADCS service, it makes some test among those checking the private key. So, I configured my HSM accordingly. Now it works!!!
I recently did a 2003 to 2012 R2 migration and had the same exact issue you describe. The CA would restore and start fine until I imported the registry backup from the old CA.
After a call with Microsoft and several hours troubleshooting we came across the solution. I did not find this page during any of my googling but here it is:
Certificate Server Service does not start and you receive the error: The Data is invalid. 0xd (Win32:13) on a Windows 2003 based certificate authority
Basically there is an expired cert or a cert missing the private key in the
CAcerthashregistry key. In my case it was an expired cert.In order to resolve the issue
Open up the certificate in
mmcand select computer.Open the personal certificate store.
Look for certificates that either display no private key icon or that have an expiration date that has passed.
Open the certificate and take note of the thumbprint in the details pain. You will need to match this up to the thumbprints present in your
CAcerthashregistry.Once you have your thumbprints check the CA certhash registry for the missing or expired cert thumbprint and replace the thumbprint values with the minus sign -
Save the registry key and attempt to start the certificate authority.
This worked for me so hopefully someone else finds this helpful.
This error can occur if you changed the OS SKU. E.g. went from 2003 Enterprise to 2008 R2 Standard edition. You dont mention the SKU along with OS details.
Assuming that was not the case, then to troubleshoot this you will need to gather the following
enable the debug log, start procmon and attempt to start the service. Stop the procmon when service startup fails.
If you share them out somewhere, I can have a look.
I ran into a similar issue with a subordinate CA that was upgraded from Windows 2008 R2 to 2012 R2. Fortunately I had just built a new root CA with Server 2012 R2 that I could match up registry settings with. It turned out that some values in the HKLM\system\CurrentControlSet\Services\CertSvc\Configuration\\CSP key of the upgraded computer didn't match up with the 2012 R2 computer. Specifically, "CNGPublicKeyAlgorithm = RSA" was missing, "Provider" needed changed to "Microsoft Software Key Storage Provider" and "ProviderType" need changed from 1 to 0. After making those changes, Certificate Services was able to start without error.