![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 57.00000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
1,923 questions
Hello @James Pope
Can you share the output of this so we can see what CSP you are using?
certutil -getreg ca\csp
Most likely one of the keys is marked as non-exportable and you wont be able to fully move the CA. But it may or may not make a difference.
Can you then dump
certutil -getreg ca\cacerthash
This will give you the thumbprint for each of the certificates the CA is using and needs to export. You can then go into the Local Machine Certificates (mmc.exe add Snap In/Certificates/Local Computer) and look in Personal/Certificates and find the 5 certificates. See if you can export them individually to a PFX.
And initially if there are no available values:
Any idea what happened to the previous private keys? Your CA may be unable to properly create the correct CRLs without the previous private keys. If you truly dont have access to the old keys anymore, you can change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\PDC-CertificateAuthority\cacerthash value remove the old thumbprints and replace with a hypen like this:
-
-
-
-
ba 01 61 3a 4c 6e 9e 84 bb 6b 72 19 89 77 47 48 4a 02 0d ba
Stop and restart the CA to read the value. I would recommend backing up/exporting the registry key for the CA prior to any changes.
---------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--