Share via

Cannot renew subordinate CA certificate - error 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE)

Anonymous
2023-09-07T20:37:03+00:00

Greetings fellow server admins!

I have a two-tier PKI implementation (Windows AD Certificate Services) running on Windows Server 2012 R2. The certificate for the subordinate CA is due to expire at the end of the month and I'm attempted to be proactive and renew that certificate before it expires. (The root CA certificate expires in three years.) Judging by the datestamp on the original certificate, this infrastructure has been running for 7+ years and the subordinate CA has had two successful certificate renewals in that time.

When I initiate the "Renew CA certificate..." process, the ADCS service stops as it's supposed to, I choose not to generate a new key pair, and click OK. Under normal conditions, the next dialog that would open would ask me the name of the root CA, or where to save the signing request file. Unfortunately, that's not happening. Instead, when I click OK, the dialog closes and the ADCS service starts back up. There's nothing in any event log (that I can find) and no error generated.

When I try to create a signing request file via the command line, however, I get a bit more information. When I run the following command:

certutil.exe -renewCert ReUseKeys

The response is the following error:

CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE) 

CertUtil: The group or resource is not in the correct state to perform the requested operation.

An online search hasn't yielded much in terms of solutions, but I have a sneaking suspicion that I need to create a new signing request using new keys, although I've not tried it yet. This server is somewhat behind with respect to updates, running the 2023-02 Security Monthly Rollup (KB5022899).

Any thoughts on how to ascertain what the exact problem is and a path to a resolution would be greatly appreciated.

Thank you!

-Todd

Windows Server | Identity and access | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2023-09-08T17:12:05+00:00

    Hello Daisy, very nice to meet you and thank you for your response.

    At the time of my maintenance, I had both the Root and Subordinate servers online. Even though the Root CA was online, I was intending to follow the case where the Root CA was offline. Had the CA Certificate Request dialog appeared, I would click "Cancel" which would then write the CSR to the root of the C drive (default).

    Per your guidance, I confirmed that the Domain Admins group was granted Read/Write/Enroll permissions on the Subordinate Certification Authority template (I was using my domain admin account). The part that was weird - and what I keep going back to - is the fact that the Subordinate CA certificate had been renewed three times since the creation of this CA environment. We have what I would call a disciplined change process, and I cannot find anything that would suggest changes had been made to the configuration of templates or any component of AD Certificate Services. So I don't understand how any of this would fail given that nothing* has changed.

    * Other than the installation of the 2023-02 security roll-up.

    Despite all this, I do have good news to report. Your second suggestion to resolve this issue - making a registry change - ultimately led to a successful renewal of the Subordinate CA certificate. I'll outline the steps I followed below.

    1. Before doing anything, I created a full backup of the existing CA environment on the Subordinate CA. Everything that could be backed up was backed up.
    2. I then set the registry value for "SetupStatus" to "1". The original value was set to "9".
      (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration{server})
    3. After making this change, I tried to renew the Subordinate CA certificate using the Certification Authority MMC. It failed as described in my original post - the service stops, I choose not to create new keys, click OK, and the CA Certificate Request dialog doesn't appear and the service restarts.
    4. Thinking that a restart is needed, I give the server a reboot and try again using the GUI. Nope, same problem.
    5. I then think to see if I'm getting the same error, and I discover I'm not. The new error reads: CertUtil: -renewcCert command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist

    Of course, this looks very bad and I think that I've completely borked my CA environment. After checking the certificates, they're all still shown as valid and I don't see any scary error messages. (Whew!)

    At this point, I figure I might as well restore things back to their original error state. (Thank you for the reminder to create a backup!) Everything restores as expected and just to confirm I'm back at the original error message, I run the renewal process again.

    But this time, it works.

    I get the CA Certificate Request dialog box, I save the CSR locally, I run through the signing process on the Root CA and import the signed certificate into the Subordinate CA. I've also confirmed that the "SetupStatus" registry key is still set to "1"

    I honestly don't know why it worked, or how the restore back to the original error state fixed things. You'd think that restoring back to a "bad" state would result in the same error, right?

    Thank you for your help with this, I really, REALLY appreciate it. Hopefully this helps someone else.

    -Todd

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-09-08T02:09:14+00:00

    Hello TAE2112,

    Thank you for posting in Microsoft Community forum.

    Please check the PKI health by opening PKIview.msc console and clicking Enter.

    1.Based on the description "I have a two-tier PKI implementation (Windows AD Certificate Services) running on Windows Server 2012 R2.", is the two-tier PKI one online enterprise root CA with one online enterprise sub CA? Or is the two-tier PKI one offline standalone root CA with one online enterprise sub CA?

    If it is the two-tier PKI one online enterprise root CA with one online enterprise sub CA, you can check permissions on Subordinate Certification Authority) template and issue Subordinate Certification Authority) template by right clicking "Certificate Templates" container\New\Certificate Template to issue on root CA.

    Reference:
    [10aa-0436-55d-5844] (microsoft.com)

    If it is the two-tier PKI one offline standalone root CA with one online enterprise sub CA.

    You can try the method in the similar thread Renew Subordinate CA (Core) Certificate (microsoft.com).

    but if the error is stuck at 'WIN32: 5023 ERROR_INVALID_STATE' you can fix by setting the following registry key back to the default of 1:

    system\currentcontrolset\services\certsvc\configuration{CA}\SetupStatus

    This will allow the GUI or command line renewal to work as normal again.

    Note: Please back up your CA environment first before you make any change.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2023-09-11T05:54:44+00:00

    Hello TAE2112,

    Thank you for your so detailed reply and explanation. I am so glad to hear that the information I provided was helpful to you and the issue was resolved.

    You'd think that restoring back to a "bad" state would result in the same error, right?
    A: Yes, I think so. However, the result is good. I am so happy.

    And I think the reply from you can also really help other persons with similar issue.

    Thank you again for your time.

    Best Regards,
    Daisy Zhou

    0 comments