Certification Authority - wrong CNAME for CA on Windows Server Essentials

Aron Sosnowski 1 Reputation point
2020-10-26T13:39:07.877+00:00

Hello,

I have a problem with CA configuration on AD windows server 2012r2. It manifests itself by error with starting "windows server essentials services". I figure out there is something wrong into: hklm>software>microsoft>windows server>identity The CAName should be different in my opinion. Now, it has the "NAME" as DOMAIN-SRV-DC2-CA, instead of name in Certification Authority: “company-SRC-DC2-CA” Question. Should I change CANAME in regedit for one that is in a Certification Authority?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,922 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Aron Sosnowski 1 Reputation point
    2020-10-27T08:00:17.3+00:00

    Hi,

    Thanks for your response.

    • There is no error in pkiview, I got one CA certificate with.
    • The server name: SRV-DC2
    • CANAME (DOMAIN as literally ): DOMAIN-SRV-DC2-CA

    I can renew the certificate by CA.
    I did a test yesterday on the demo server where I change data like CANAME. After that, I got the same problem with "Windows server Essentials" services.
    But when I returned the configuration. Services did not come back to work.

    For information. There was a problem with PKI (there was an old bad CA service that I deleted from PKIVIEW.MSC
    But this occurs before the problem with "Windows server essentials" service down. After deleting old PKI, I can handly renew the certificate.

    I think "Windows server essentials" service has a problem with finding the correct Certificate:

    EVENT 133, ServerEssentials:
    "The 'Windows Server Essentials Provider Registry Service' service (ServiceProviderRegistry) failed while starting.

    Additional error information: Microsoft.WindowsServerSolutions.Common.ProviderFramework.ProviderException: Failed to configure the ServiceHost (see inner exception). ---> Microsoft.WindowsServerSolutions.Certificates.CertificatesException: Unable to find valid machine certificate on local store.
    at Microsoft.WindowsServerSolutions.Common.ProviderFramework.ProductConfiguratorBase._SetServiceCert(X509CertificateRecipientServiceCredential svcCertCred)
    at Microsoft.WindowsServerSolutions.Common.ProviderFramework.ProductConfiguratorBase._ConfigureServiceHost(ServiceHost serviceHost)
    at Microsoft.WindowsServerSolutions.Common.ProviderFramework.ProductConfiguratorBase.ConfigureServiceHost(ServiceHost serviceHost)
    --- End of inner exception stack trace ---
    at Microsoft.WindowsServerSolutions.Common.ProviderFramework.ProductConfiguratorBase.ConfigureServiceHost(ServiceHost serviceHost)
    at Microsoft.WindowsServerSolutions.Common.ProviderFramework.ProviderRegistry.Program.ConfigureEndpointsNormalMode(ServiceHost host)
    at Microsoft.WindowsServerSolutions.Common.ProviderFramework.ProviderRegistry.ServiceShell.OpenHost()"


  2. Aron Sosnowski 1 Reputation point
    2020-10-28T09:03:06.6+00:00

    Hi,

    The servers is a windows essentials 2012 and it act as a DC and CA server.

    Demo server CA is based on windows server 2019 evaluation, I set DC and CA services.
    And after change CANME in Regedit, I got the same problem - return CANME doesn't fix it at all.

    Best Regards,

    0 comments No comments

  3. Fan Fan 15,326 Reputation points Microsoft Vendor
    2020-10-29T07:18:24.923+00:00

    Hi,

    Based on my research, the CA name can't be changed.(When you install CA as it stated)

    • the name of the CA (netBIOS)
    • The domain membership of the computer hosting the CA
    • the CA logical name

    If the error can't be fix by return the name, i would suggest you restore the CA from the back up.
    Best Regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.