Migrating a CA to a new server - CA services won't start

Asked Aug 16 '23 at 10:37

Active Aug 16 '23 at 14:04

Viewed 33 times

We have an Enterprise Root CA running on Server 2012 R2. I built a replacement server running Server 2019 and followed the steps in the below article, I backed up the CA and relevant registry keys, then restored them to the new server. I followed every step exactly. https://www.starwindsoftware.com/blog/migrate-root-ca-to-a-new-server

When trying to start the CA services, I get an error stating "certificate services won't start 0x80090016 (-2146893802 nte_bad_keyset)"

Bad_KeySet_Error

In event viewer the error is slightly longer but is pretty much the same...

active directory certificate services did not start: could not load or verify the current ca certificate. keyset does not exist 0x80090016 (-2146893802 nte_bad_keyset).

I've been researching for hours but cannot find a solution. I saw a suggestion to create a new certificate and key but that's not an option for us due to our AOVPN relying on the current root CA certificate.

edited Aug 16 '23 at 14:04

Greg Askew

35,880
5
54
82

asked Aug 16 '23 at 10:37

LeeCS

Has your CA been updated to support signing with an algorithm other than SHA1? – Greg Askew Aug 16 '23 at 11:24
Yes. Our root ca certificate is SHA256. – LeeCS Aug 16 '23 at 12:51
Had you previously switched over from a CSP to Key Storage Provider KSP? – Greg Askew Aug 16 '23 at 15:59

Migrating a CA to a new server - CA services won't start

0 Answers0