I cannot start Certificate Services - Object was not found

ami-2064 0 Reputation points
2023-02-21T13:31:04.1333333+00:00

Hi, after installing domain integrated Certification Authority on Windows 2008R2, after a few days I restarted the server. After reboot, it turned out that the certification services did not start with error: Object was not found. 0x80090011 (-2146893807)

Application log:
Source: CertificationAuthority
EventID: 100
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  CA-Server Object was not found. 0x80090011 (-2146893807).

System log:

Source: Service Control Manager
EventID: 7024
The Active Directory Certificate Services service terminated with service-specific error %%-2146893807.

certutil -urlfetch -verify

shows:

verify

The CertEnroll folder contains the correct files. CRL valid until tomorrow:

CerEnroll

In Active Directory Sites and Services -> Configuration/Services/Public Key Services
AIA
CDP
KRA
certificates are valid.

There was a CA on this machine before but it was uninstalled (when the certificate of the previous CA expired) and reinstalled with new settings.

Can anyone help on this?

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Vasileios Dionysopoulos 641 Reputation points
    2023-02-21T22:56:04.8733333+00:00

    Hello Ami,

    It is possible that remnants of the previous Certification Authority installation are interfering with the new installation. Here are some additional steps you can take to troubleshoot and resolve the issue:

    1. Check the certificate store: Verify that the CA certificate is present in the certificate store. You can view the certificate in the Certificate Services MMC console by navigating to "CA Name" -> "Properties" -> "View Certificate".
    2. Check the CA registry settings: Verify that the CA registry settings are correct by running the following command in an elevated Command Prompt:
    certutil -getreg CA
    

    This will display the registry settings for the CA.

    1. Check for duplicate entries in Active Directory: Ensure that there are no duplicate entries for the Certification Authority in Active Directory. You can use the ADSI Edit tool to check for duplicate entries.
    2. Check for permissions issues: Verify that the service account for the Certificate Services has the necessary permissions to access the certificate store. You can check the account in the Certificate Services MMC console by navigating to "CA Name" -> "Properties" -> "Security" -> "Service Account".
    3. Try recreating the Certificate Authority: If the above steps do not resolve the issue, you may need to recreate the Certification Authority from scratch. Be sure to uninstall the previous instance of the CA and remove all remnants of the old CA from the registry and Active Directory before installing the new CA.
    4. Check the event logs: Review the event logs for any errors or warnings related to the Certificate Services. This may provide additional clues as to what is causing the issue.
    5. Try restoring the CA from a backup: If you have a backup of the previous instance of the CA, you can try restoring it to the same server or a different server and then attempt to repair or upgrade it.

    Maybe this is not your solution, but I hope I help to continue your investigation.

    0 comments No comments

  2. ami-2064 0 Reputation points
    2023-02-22T14:13:59.9166667+00:00

    Thank you for your answer.

    I'm not a CA specialist but there doesn't seem to be anything alarming here, right?reg_smthng

    Also in all these places there is only one certificate (the valid one):
    ADSI

    Regarding security: users can request certificates, enterprise, domain and local administrators can manage and issue certificates.

    I did restore from backup first. Did not help.

    0 comments No comments

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  5. ami-2064 0 Reputation points
    2023-02-28T06:05:10.1833333+00:00

    I finally uninstalled the CA using the following procedure (as in case of multiple Active Directory Certificate Services (AD CS) role services installed on a single server):

    Select Start, point to Administrative Tools, and then select Server Manager.

    Under Roles Summary, select Active Directory Certificate Services.

    Under Roles Services, select Remove Role Services.

    Select to clear the Certification Authority check box, and then select Next.

    Then I added the role again, indicating that I wanted to use an already existing certificate. At this point, it turned out that I had to choose one of the old certificates from 2018 (and only this one). I chose it. After the CA installation was complete, I renewed this certificate and everything works. Now in AD containers two CA certificates are visible: the renewed one and the one from before reinstallation. Both are OK. I have to clean up carefully now.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.