0

Cert services show error: Event ID: 5 Description: Certificate Services could not find required registry information. The Certificate Services may need to be reinstalled.

I have manualy removed CA from server following instructions: http://support.microsoft.com/kb/889250-. On this server is Exchange with OWA, and ISA 2004 server. Now some clients in a domain have issues connecting to internet using SSL (https) because IE constantly asks for username and passw to connect to domain, and ISA log shows "Failed connection attempt".

I have bean thinking to:

  • reinstall on same server Cert services with same name or different name

  • install AD Cert services on another server with same name or different name

What should I do to solve this issue? I am in a big trouble becouse of it, so please help.

user2344423
  • 3
  • 2

1 Answers1

0

Well, you're in some kind of a mess, that's for sure. First, you do NOT install a CA on an exchange server, DC or, in fact, any machine that has other roles. That's a receipt for disaster. The proper setup of a CA is that you pick a server to be your root (preferably an offline root CA), and a second server to act as your intermediate CA for other needs.

You do it that way so that, in case something happen to the intermediate CA (like it happened to yours), you can revoke it from your root CA and build a new one without too many issue.

Now, you haven't specified what what type of CA you deployed (standalone of AD-integrated) but, from the problems you describe, I assume it's an AD-integrated one.

Assuming the above is correct, here is your situation: you have a CA that have been used to issue certificates that is now disabled. That CA is used by all your machine for automatic certificate enrollment and you further used these certificate for authentication.

Now, if you have the system setup properly, what you should have done is: revoke the old intermediate CA on the root, publish the new CRL, install another intermediate CA and re-issue the certificates. You might also have to use ADSI edit to re-target the enrollment service LDAP entry.

In your case, you cannot do this this way. You will have to either try to perform a migration of your authority (assuming you still have access to the private key linked to your root CA or can recover it) or start from scratch with a new authority.

If you decide to create a new authority, here is what you should do:

  • If you can't use different servers for a root CA and intermediate CA, at least dedicate a machine to be your root. You can also opt to create a root CA using OpenSSL and use that CA to sign an AD-integrated Intermediate CA but be aware that you will have to manually generate new CRLs now and then for that root (you can, however, install that root on the same machine assuming you protect it properly). I would use a new server name to make sure you do not mix the new and old roots (which can cause problems and confusion) but you could reuse the same name if you want.
  • Once you have a new CA hierarchy, distribute the new root using group policies to all the machines in your domain. Add the root to the "trusted root certificate authorities" store and the intermediate CA to the "Intermediate Certificate Authority" store (the second step is mostly a precaution).
  • Locally force the old CA to be untrusted. For that, use group policies to add the public certificate to the "Untrusted Certificates" store.
  • Re-target the enrollment services to your new server. For that, use adsiedit to navigate to Configuration / services / Public Key Services / Enrollment Services and remove the reference to the old CA server (the new one should already have been registered there).
  • Re-issue all the certificates that you need. If you've setup the CA properly, any certificate that uses automatic enrollment will be re-generated automatically from the new CA and the old one will be discarded. Unless you're sure that these certificates have NOT been used for encryption, do NOT delete them fro the client machines/accounts.

(P.S. Don't feel too bad about not having set this up properly in the first place: CA management is hard and doing it wrong is extremely easy. MS made it even easier to mess it up by making certificate services so easy and quick to install: you're practically doomed to get it wrong the first time around unless you know exactly what you're doing).

Community
  • 1
Stephane
  • 6,432
  • 3
  • 26
  • 47
  • Yes You are right CA is AD-integrated. Allso migration according MS instructions is not an option because CS on isn't working at all. – user2344423 Sep 10 '13 at 10:16
  • And all what's left after I manualy delete files are systemroot\CertLog\dcert.edb file and some logs. In AD Sites and services In folder Public key services AIA, Cert Authorities, Enrollment Services are empty. In KRA there is a file name "dcert" msPKI PrivateKeyRecoveryAgent. Please clarify if I chose to install AD CS on new server, it wouldnt be a problem for ISA or Exchang on "old" server? And should I do some changes in Public Key Services of old server ? Thank you very much for your answers – user2344423 Sep 10 '13 at 10:38
  • It looks like you never had auto-enrollment setup, then. PrivateKeyrecovery agent is related to the (ahem) private key recovery agent service: an extra pair of keys used to recover data encrypted with a lost key. If you have set it up, then you MUST setup a new one. – Stephane Sep 10 '13 at 11:59
  • As for Exchange and ISA, is all depends on what authority was used to generate the X509 certs they use for SSL: if it was the old CA then you will need to issue a new certificate for each one of these and install them, preferably before you add the old cert to the "untrusted certificate" list – Stephane Sep 10 '13 at 12:01