DC01-CA\Failed requests - Cannot archive private key.The certification authority could not verify one or more key recovery certificates. 0x8009400b

Alper GUNER 0 Reputation points
2024-11-26T10:50:39.5533333+00:00

Hello everyone,

I have an urgent problem, new users cannot connect to wifi. (802.1x-User Cert must)

DC01-CA\Failed requests >>

Request Status Code:

Cannot archive private kecert1

cert2

y.The certification authority could not verify one or more key recovery certificates. 0x8009400b

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,738 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Daisy Zhou 26,571 Reputation points Microsoft Vendor
    2024-11-27T09:49:32.7633333+00:00

    Hello

    Thank you for posting in Q&A forum.

    The error message typically indicates an issue with the Key Recovery Agent (KRA) certificates on your Certification Authority (CA). Here are some steps to troubleshoot:

    1. Ensure that the KRA certificates are valid and not expired. You can check this in the Certification Authority management console under Issued Certificates.
    2. If the KRA certificates are expired, you will need to renew or replace them. This can be done by issuing new KRA certificates and configuring the CA to use them.
    3. Make sure that the CA can check the revocation status of the KRA certificates. If the CA cannot verify the revocation status, it will not use the KRA certificates. Ensure that the revocation server is online and accessible.
    4. Verify the configuration for key archival. Ensure that the number of recovery agents specified matches the number of valid KRA certificates. If the number exceeds the valid KRA certificates, the requests will fail.
    5. Check the Event Viewer on the CA for any related errors or warnings. Look under Applications and Services Logs > Microsoft > Windows > CertificateServicesClient for more detailed information.

    Reference:

    Certificate services client enrollment fails after renewing SSL ...

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Alper GUNER 0 Reputation points
    2024-11-27T10:33:37.35+00:00

    This is the biggest problem I am experiencing right now. The certificate has expired but I cannot renew it. What do you recommend?dc03

    0 comments No comments

  3. Alper GUNER 0 Reputation points
    2024-11-28T06:44:58.1766667+00:00

    Maalesef KRA sertifika süresi dolmuştu fakat yeni bir KRA sertifikası oluşturmak istediğimde hata alıyordum, bu hatayı da şöyle çözümledik; template'i kopyalayarak ilerlemedik yeniden bir template (kendimiz yeni bir template yaptık) ve o template'i configüre ettik sorunumuz çözümlendi.

    Unfortunately, the KRA certificate had expired, but I was getting an error when I wanted to create a new KRA certificate, we solved this error as follows; we did not proceed by copying the template, we created a new template (we created a new template ourselves) and configured that template, our problem was solved.

    key-oldu

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.