Join Log in
Score:0
LeeCS avatar Server

Migrating a CA to a new server - CA services won't start

ie flag
LeeCS

We have an Enterprise Root CA running on Server 2012 R2. I built a replacement server running Server 2019 and followed the steps in the below article, I backed up the CA and relevant registry keys, then restored them to the new server. I followed every step exactly. https://www.starwindsoftware.com/blog/migrate-root-ca-to-a-new-server

When trying to start the CA services, I get an error stating "certificate services won't start 0x80090016 (-2146893802 nte_bad_keyset)"

Bad_KeySet_Error

In event viewer the error is slightly longer but is pretty much the same...

active directory certificate services did not start: could not load or verify the current ca certificate. keyset does not exist 0x80090016 (-2146893802 nte_bad_keyset).

I've been researching for hours but cannot find a solution. I saw a suggestion to create a new certificate and key but that's not an option for us due to our AOVPN relying on the current root CA certificate.

33
0 + 3
cn flag
Greg Askew
Has your CA been updated to support signing with an algorithm other than SHA1?
0
Reply
LeeCS avatar
ie flag
LeeCS
Yes. Our root ca certificate is SHA256.
0
Reply
cn flag
Greg Askew
Had you previously switched over from a CSP to Key Storage Provider KSP?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.