Stuck trying to remove Certificate Authority role from a Windows 2019 AD domain controller

greenvomit8

5/4/24, 1:16 PM

I am trying to remove the Certificate Authority role from a Windows 2019 AD domain controller and am stuck at Step 5, Item 4 "Delete the private key that is associated with the CA" of the following MS KB article:
How to decommission a Windows enterprise certification authority and remove all related objects
I can't get passed the following error:
CertUtil: -delkey command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist Can someone please tell me what I am doing wrong?
Here are my commands:

  C:\Users\theadmin>certutil -shutdown
  CertUtil: -shutdown command completed successfully.
    
  C:\Users\theadmin>certutil -getreg CA\CSP\Provider
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\bennett-SYDDC03-CA\CSP:
    Provider REG_SZ = Microsoft Software Key Storage Provider
  CertUtil: -getreg command completed successfully.

  C:\Users\theadmin>certutil -CSP KSP -Key
  Microsoft Software Key Storage Provider:
  bennett-SYDDC03-CA-Xchg(365)
  4d183c7256e5a7ea7f353e66e42df2e3_ae2176ee-5d82-4797-a135-97e409c6ec69
  RSA
    AT_KEYEXCHANGE

  iisCngWasKey
  597367cc37b886d7ee6c493e3befb421_ae2176ee-5d82-4797-a135-97e409c6ec69
  SP800_108_CTR_HMAC
  KEY_DERIVATION

  bennett-SYDDC03-CA
  9cbcfcd7540d895eab9505d386b02142_ae2176ee-5d82-4797-a135-97e409c6ec69
  RSA
    AT_KEYEXCHANGE

  iisCngConfigurationKey
  f0e91f6485ac2d09485e4ec18135601e_ae2176ee-5d82-4797-a135-97e409c6ec69
  SP800_108_CTR_HMAC
  KEY_DERIVATION

  CertUtil: -key command completed successfully.

  C:\Users\theadmin>certutil -delkey "bennett-SYDDC03-CA"
  CertUtil: -delkey command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
  CertUtil: Keyset does not exist

  C:\Users\theadmin>certutil -delkey "bennett-SYDDC03-CA-Xchg(365)"
  CertUtil: -delkey command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
  CertUtil: Keyset does not exist'

382

1 + 2

certificate-authority

windows-server-2019

Crypt32

5/4/24, 1:45 PM

Sounds like keys are already deleted, only container references are left, so you can move to next step in CA decommissioning process.

greenvomit8

5/5/24, 4:16 AM

I hope this is the case. Thank you Crupt32 :) Do you know if there is a way I can confirm that there are no keys still remaining?

Score:2

Server

VirtualRJ

6/28/24, 8:33 AM

When you have Microsoft Software Key Storage Provider as provider you also need to add -CSP KSP to the delete command for it to be succesful.

certutil -CSP KSP -delkey CertificateAuthorityName

In your case:

certutil -CSP KSP -delkey "bennett-SYDDC03-CA"

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Stuck trying to remove Certificate Authority role from a Windows 2019 AD domain controller

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.