Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, October 7, 2016 3:55 PM
Hi,
I'm in the process of changing our CA so that it can issue SHA256 certificates instead of "only" SHA1 certificates.
However. Step 1 is to back up your CA, and this step fails.
From within Certificate Authority MMC, i try to start a backup:
But it fails:
Ok. So Maybe the private key is missing? How do I tell?
I have the following CA certs:
If I look at the corresponding certs in the Certificate Manager on the CA (Local Computer/Trusted Root Certification Authorities), I can find the certs via the thumbprint.
Certificate #3 definitively have a private key - I'm able to export that cert to a .pfx file.
All replies (4)
Monday, October 10, 2016 3:33 PM ✅Answered | 6 votes
Any idea what happened to the previous private keys? Your CA may be unable to properly create the correct CRLs without the previous private keys. If you truly dont have access to the old keys anymore, you can change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\PDC-CertificateAuthority\cacerthash value remove the old thumbprints and replace with a hypen like this:
-
ba 01 61 3a 4c 6e 9e 84 bb 6b 72 19 89 77 47 48 4a 02 0d ba
Stop and restart the CA to read the value. I would recommend backing up/exporting the registry key for the CA prior to any changes.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com
Friday, October 7, 2016 7:19 PM | 1 vote
Can you share the output of this so we can see what CSP you are using?
certutil -getreg ca\csp
Most likely one of the keys is marked as non-exportable and you wont be able to fully move the CA. But it may or may not make a difference.
Can you then dump
certutil -getreg ca\cacerthash
This will give you the thumbprint for each of the certificates the CA is using and needs to export. You can then go into the Local Machine Certificates (mmc.exe add Snap In/Certificates/Local Computer) and look in Personal/Certificates and find the 5 certificates. See if you can export them individually to a PFX.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com
Monday, October 10, 2016 8:23 AM
Hi Mark,
Thanks for your reply.
certutil -getreg ca\csp produce the following output:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\PDC-CertificateAuthority\csp:
Values:
ProviderType REG_DWORD = 0
Provider REG_SZ = Microsoft Software Key Storage Provider
HashAlgorithm REG_DWORD = 8004 (32772)
CALG_SHA1
Algorithm Class: 0x8000(4) ALG_CLASS_HASH
Algorithm Type: 0x0(0) ALG_TYPE_ANY
Algorithm Sub-id: 0x4(4) ALG_SID_SHA1
CNGPublicKeyAlgorithm REG_SZ = RSA
CNGHashAlgorithm REG_SZ = SHA1
MachineKeyset REG_DWORD = 1
CertUtil: -getreg command completed successfully.
certutil -getreg ca\cacerthash produce a list of the 5 certificates. Only cert #4 contains a private key.
0: b7 7b 23 50 eb b2 70 76 ef 7e 5c 4e b7 da 6a c4 f0 8a 02 b3
No Private key (expired)
1: b1 8f a8 28 1f 6b af 54 f8 fc 41 ab fa f9 4c 21 b0 c2 d9 c9
No Private key
2: b1 6f bd e0 b1 17 fe ea a2 ad 4c cf 7e b0 89 7c 86 a0 e9 e9
No Private key
3: 4f 9e 9a 23 f0 d0 1c 23 6c e2 bd df f9 93 4e cc 10 a5 3c b5
No Private key
4: ba 01 61 3a 4c 6e 9e 84 bb 6b 72 19 89 77 47 48 4a 02 0d ba
Has private key and is exportable
Saturday, October 22, 2016 9:43 AM
Hi,
Is further assistance required at the moment?
Best Regards,
Amy
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.