I am (freaking out) trying to backup our intermediate CAs private key and public certificate via the command line and via the gui and am receiving error messages. I've searched high and low regarding these errors and haven't found anything useful. If you have any ideas as to the issue please help. From the ADCS mmc running the All Tasks > Backup CA..., I checked "Private key and CA Certificate", gave it a path to an empty folder, set a password, click finish and received the following message. Window Title: Certificate Authority Backup Wizard Error Message: Windows cannot back up one or more private keys because the CSP does not support key export. Do you want to continue and backup only the private keys that can be exported?" ok/cancel Hitting ok i will get a password protected public certificate, but no private key. From the command line: C:\>certutil -backupkey C:\certkey Enter new password: Confirm new password: CertUtil: -backupKey command FAILED: 0x8009000b (-2146893813) CertUtil: Key not valid for use in specified state. In setting up the CA cluster, on the first node we chose the following options: CSP= RSA#Microsoft Software Key Storage Provider Key Character Length=3072 Hash Algorithm for signing certs by this CA=SHA512

After failing the cluster resource group back to the first node in the cluster, the backup worked fine.

I'm getting the same error after trying to renew the CA cert on the cluster. It's renewed on one node, now I figure I have to import it to the other node. But instead i've got a cluster I can't fail over, and a cert i can't backup/restore. Any suggestions ?

Did you follow this procedure while renewing? http://blogs.technet.com/b/askds/archive/2010/01/07/clustered-certification-authority-maintenance-tasks.aspx

Hi Martin - sure did ! When I resume the second node.. all good. When I try to failover to it - I get: Log Name: Application Source: Microsoft-Windows-CertificationAuthority Date: 8/3/2010 4:11:05 PM Event ID: 100 Task Category: None Level: Error Keywords: Classic User: SYSTEM Description: Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. The system cannot find the file specified. 0x80070002 (WIN32: 2). I thought that it might need the backup/restore certificate step done during the set up of the cluster. But this is when I get the CSP error.

Have you tried to export the certificate using MMC?

Have you checked that the subordinate certificate (with private key) is on the other node? This error may indicate that it does not have it, so if you need to fail over on a later time your PKI will stop working. The clustering of the CA service is not the best implemented so one has to make shure everything is in place. Regards Morten

In my case only 1 of 2 nodes had the private key marked as exportable. i re-exported the certicate w/ private key from the good host and imported it on the second node checking the box to allow it to be exported and my backup issue was resolved. good luck jundsey.

Yes same error using MMC as well as cmd line ...

Hi Lerun, thanks for the suggestion. This is definitely the core of the problem. When I bring the cluster online and fail it over, the cluster seems to remove the new certificate. Even when I fail it back to the so called working node, the new CA cert is gone. Very strange. I might just rebuild, it's in our test environment so I have the luxury of rebuild !

Thanks Spork - are you using an HSM ? I think thats only required if you're using an HSM ...

I had similar problems while renewing a cluster. I solved it by pausing inactive node and removing registry replication before renewing. After renewal proces I bring online the ADCS and set the registry replication. Afterwards I installed the cert on the paused node resumed the cluster and failed over. Everything worked like charm then.

In my experience the registry replication can do strange things, I second Martin

So after rebuilding the cluster I noticed that enterprise pki is showing the cluster as offline ... though I can clearly see its online in failover cluster manager. I can't request a cert, I get the RPC error. Can anyone put these clues together ? I've checked permissions in AD, I've checked firewall .. not sure what could be causing this

It was enrollment services container ... the nodes didn't have full control, only the cluster account did !Thanks all for your assistance