CertUtil: -backupKey command FAILED: 0x80092004 (-2146885628)

David Ewer 71 Reputation points
2020-11-17T17:40:21.363+00:00

I am trying to perform a backup of the CA Database and Private Keys for my old SBS server before migrating to my new server running Windows Server 2019 Standard however when I run the certutil -backupkey command I receive the error "CertUtil: -backupKey command FAILED: 0x80092004 (-2146885628) CertUtil: Cannot find object or property."

Can anybody suggest how to overcome this error?

What would be the implications of not migrating the CA Database and Private Keys?

Thanks

David

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,835 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,336 Reputation points Microsoft Vendor
    2020-11-18T03:04:28.13+00:00

    Hi,
    Thanks for sharing here!
    For Migrating The Active Directory Certificate Service, i would recommend you follow the steps in the following link:
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674
    And check if you can backup all the database successfully.
    If there are still errors , please feel free to let us know.

    Best Regards,

    0 comments No comments

  2. David Ewer 71 Reputation points
    2020-11-18T13:10:30.073+00:00

    Thanks for coming back to me so quickly. I followed the steps in the link you sent me but received a similar error (see attached screenshots). I click OK after the first message and then received the error.

    40841-1.png

    40851-2.png


  3. Vadims Podāns 9,121 Reputation points MVP
    2020-11-24T07:25:19.81+00:00

    Can anybody suggest how to overcome this error?

    I would say there is no supported way. Your private key is not allowed for export (even for backup purposes), so you can't backup it and transfer to another server. What I can suggest is to start over with brand new CA and issue certificates from new CA. Keep running existing CA until last client certificate is expired. When last certificate expired, you simply decommission old CA.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.