Hello
Thank you for posting in Q&A forum.
The error message typically indicates an issue with the Key Recovery Agent (KRA) certificates on your Certification Authority (CA). Here are some steps to troubleshoot:
- Ensure that the KRA certificates are valid and not expired. You can check this in the Certification Authority management console under Issued Certificates.
- If the KRA certificates are expired, you will need to renew or replace them. This can be done by issuing new KRA certificates and configuring the CA to use them.
- Make sure that the CA can check the revocation status of the KRA certificates. If the CA cannot verify the revocation status, it will not use the KRA certificates. Ensure that the revocation server is online and accessible.
- Verify the configuration for key archival. Ensure that the number of recovery agents specified matches the number of valid KRA certificates. If the number exceeds the valid KRA certificates, the requests will fail.
- Check the Event Viewer on the CA for any related errors or warnings. Look under Applications and Services Logs > Microsoft > Windows > CertificateServicesClient for more detailed information.
Reference:
Certificate services client enrollment fails after renewing SSL ...
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.