CA certificate Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET).

I can't renew a subordinate (W2K12) CA  because of root (W2K12) CA service is not running, every time I try to run the service in the root CA got following error.

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. (companyXXXX) Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET).

I have found some articles but the solution hasn't worked for me at all.
Thanks in advanced for your help.


  • Edited by caracos Saturday, July 25, 2015 3:00 AM
July 25th, 2015 12:21am

What's the history of the Root CA? If there is a subordinate that is needing renewal, I would suspect the CAs have been around for a while. Is it possible the Root CA was migrated from another OS in the past?

A few details would help. Can you provide the following details?

1) certutil -getreg ca

2) Debug logs:

certutil -setreg ca\debug 0xffffffe3

try to start certificate services

provide contents of %windir%\certsrv.log

certutil -delreg ca\debug

Free Windows Admin Tool Kit Click here and download it now
July 25th, 2015 12:19pm

What's the history of the Root CA? Root CA was off for a long time and it was turned on because of SubOrdinate CA has to be renewed.

If there is a subordinate that is needing renewal, I would suspect the CAs have been around for a while.  That's correct.

Is it possible the Root CA was migrated from another OS in the past? No, it's not. the servers were built from the scratch.

A few details would help. Can you provide the following details?

1) certutil -getreg ca

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\xxxxxxxxRootCA:

Keys:
  CSP
  EncryptionCSP
  ExitModules
  PolicyModules

Values:
  DSConfigDN               REG_SZ = CN=Configuration,DC=xxxxxx,DC=xxx
  DSDomainDN               REG_SZ = DC=xxxxxx,DC=xxx
  ViewAgeMinutes           REG_DWORD = 10 (16)
  ViewIdleMinutes          REG_DWORD = 8
  CAType                   REG_DWORD = 3
    ENUM_STANDALONE_ROOTCA -- 3

  UseDS                    REG_DWORD = 1
  ForceTeletex             REG_DWORD = 12 (18)
    ENUM_TELETEX_AUTO -- 2
    ENUM_TELETEX_UTF8 -- 10 (16)

  SignedAttributes         REG_MULTI_SZ =
    0: RequesterName

  EKUOIDsForPublishExpiredCertInCRL REG_MULTI_SZ =
    0: 1.3.6.1.5.5.7.3.3 Code Signing
    1: 1.3.6.1.4.1.311.61.1.1 Kernel Mode Code Signing

  CommonName               REG_SZ = xxxxxxxxRootCA

  Enabled                  REG_DWORD = 1
  PolicyFlags              REG_DWORD = 0
  CertEnrollCompatible     REG_DWORD = 0
  CRLEditFlags             REG_DWORD = 100 (256)
    EDITF_ENABLEAKIKEYID -- 100 (256)

  CRLFlags                 REG_DWORD = 2
    CRLF_DELETE_EXPIRED_CRLS -- 2

  InterfaceFlags           REG_DWORD = 641 (1601)
    IF_LOCKICERTREQUEST -- 1
    IF_NOREMOTEICERTADMINBACKUP -- 40 (64)
    IF_ENFORCEENCRYPTICERTREQUEST -- 200 (512)
    IF_ENFORCEENCRYPTICERTADMIN -- 400 (1024)

  EnforceX500NameLengths   REG_DWORD = 1
  SubjectTemplate          REG_MULTI_SZ =
    0: Mail
    1: CommonName
    2: OrganizationalUnit
    3: Organization
    4: Locality
    5: State
    6: DomainComponent
    7: Country

  ClockSkewMinutes         REG_DWORD = a (10)
  LogLevel                 REG_DWORD = 3

  HighSerial               REG_DWORD = 16 (22)
  CAServerName             REG_SZ = xxxxxxxxx.xxxxxxxx.xxx
  ValidityPeriod           REG_SZ = Years
  ValidityPeriodUnits      REG_DWORD = 1
  KRACertHash              REG_MULTI_SZ =

  KRACertCount             REG_DWORD = 0
  KRAFlags                 REG_DWORD = 0

  CRLPublicationURLs       REG_MULTI_SZ =
    0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
    CSURL_SERVERPUBLISH -- 1
    CSURL_SERVERPUBLISHDELTA -- 40 (64)

    1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
    CSURL_SERVERPUBLISH -- 1
    CSURL_ADDTOCERTCDP -- 2
    CSURL_ADDTOFRESHESTCRL -- 4
    CSURL_ADDTOCRLCDP -- 8
    CSURL_SERVERPUBLISHDELTA -- 40 (64)

    2: 0:http://%1/CertEnroll/%3%8%9.crl

    3: 0:file://%1/CertEnroll/%3%8%9.crl

    4: 6:http://yyyyyyyyyy.yyyyyyyy.yyy/certdata/%3%8%9.crl
    CSURL_ADDTOCERTCDP -- 2
    CSURL_ADDTOFRESHESTCRL -- 4


  CRLPeriod                REG_SZ = Years
  CRLPeriodUnits           REG_DWORD = 5

  CRLOverlapPeriod         REG_SZ = Hours
  CRLOverlapUnits          REG_DWORD = 0
  CRLDeltaPeriod           REG_SZ = Days
  CRLDeltaPeriodUnits      REG_DWORD = 0
  CRLDeltaOverlapPeriod    REG_SZ = Minutes

  CRLDeltaOverlapUnits     REG_DWORD = 0
  CAXchgValidityPeriod     REG_SZ = Weeks
  CAXchgValidityPeriodUnits REG_DWORD = 1
  CAXchgOverlapPeriod      REG_SZ = Days
  CAXchgOverlapPeriodUnits REG_DWORD = 1

  MaxIncomingMessageSize   REG_DWORD = 10000 (65536)
  MaxIncomingAllocSize     REG_DWORD = 10000 (65536)
  CACertPublicationURLs    REG_MULTI_SZ =
    0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
    CSURL_SERVERPUBLISH -- 1

    1: 3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
    CSURL_SERVERPUBLISH -- 1
    CSURL_ADDTOCERTCDP -- 2

    2: 0:http://%1/CertEnroll/%1_%3%4.crt

    3: 0:file://%1/CertEnroll/%1_%3%4.crt

    4: 2:http://yyyyyyyyyyy.yyyyyyyyy.yyy/certdata/%1%3%4.crt
    CSURL_ADDTOCERTCDP -- 2


  CACertHash               REG_MULTI_SZ =
    0: nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn

  Security                 REG_BINARY =
    Allow CA Administrator      BUILTIN\Administrators
    Allow Certificate Manager   BUILTIN\Administrators
    Allow CA Administrator      xxxxxxxxxx\Domain Admins
    Allow Certificate Manager   xxxxxxxxxx\Domain Admins
    Allow CA Administrator      xxxxxxxxxxx\Enterprise Admins
    Allow Certificate Manager   xxxxxxxxxxxx\Enterprise Admins
    Allow Enroll        NT AUTHORITY\Authenticated Users


  SetupStatus              REG_DWORD = 1
    SETUP_SERVER_FLAG -- 1

  CRLNextPublish           REG_BINARY = 6/26/2019 11:24 AM
  CAXchgCertHash           REG_MULTI_SZ =
    0: nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn

  AuditFilter              REG_DWORD = 7f (127)
CertUtil: -getreg command completed successfully.

2) Debug logs: certutil -setreg ca\debug 0xffffffe3 try to start certificate services provide contents of %windir%\certsrv.log


========================================================================
Opened Log: 7/25/2015 3:57 PM 38.996s
GMT - 4.00
certca.dll: 6.3:9600.17415 retail
certsrv.exe: 6.3:9600.17480 retail
503.1861.0:<2015/7/25, 15:57:39>: 0x0 (WIN32: 0)
508.1341.0:<2015/7/25, 15:57:39>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND): DBMaxReadSessionCount
468.129.0:<2015/7/25, 15:57:39>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.625.0:<2015/7/25, 15:57:39>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): OfficerRights
437.625.0:<2015/7/25, 15:57:39>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): EnrollmentAgentRights
437.625.0:<2015/7/25, 15:57:39>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): RoleSeparationEnabled
CertSrv: Opening Database C:\Windows\system32\CertLog\xxxxxxxxxxxxxxRootCA.edb
CertSrv: Database open
420.385.0:<2015/7/25, 15:57:40>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
452.722.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): xxxxxxxxxxxxxxRootCA
513.761.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
513.8999.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): xxxxxxxxxxxxxxRootCA
513.9034.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
452.722.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): xxxxxxxxxxxxxxRootCA
513.761.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
513.8999.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): xxxxxxxxxxxxxxRootCA
513.9031.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
513.9440.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
513.12895.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
508.2108.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.1324.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.1876.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.1571.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
517.270.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.2141.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.2205.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertSrv: Exit Status = Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)


certutil -delreg ca\debug

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\xxxxxxxxxxRootCA\debug:

Old Value:
  debug REG_DWORD = ffffffe3 (-29)
CertUtil: -delreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.


  • Edited by caracos 10 hours 49 minutes ago
July 25th, 2015 4:16pm

What's the history of the Root CA? Root CA was off for a long time and it was turned on because of SubOrdinate CA has to be renewed.

If there is a subordinate that is needing renewal, I would suspect the CAs have been around for a while.  That's correct.

Is it possible the Root CA was migrated from another OS in the past? No, it's not. the servers were built from the scratch.

A few details would help. Can you provide the following details?

1) certutil -getreg ca

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\xxxxxxxxRootCA:

Keys:
  CSP
  EncryptionCSP
  ExitModules
  PolicyModules

Values:
  DSConfigDN               REG_SZ = CN=Configuration,DC=xxxxxx,DC=xxx
  DSDomainDN               REG_SZ = DC=xxxxxx,DC=xxx
  ViewAgeMinutes           REG_DWORD = 10 (16)
  ViewIdleMinutes          REG_DWORD = 8
  CAType                   REG_DWORD = 3
    ENUM_STANDALONE_ROOTCA -- 3

  UseDS                    REG_DWORD = 1
  ForceTeletex             REG_DWORD = 12 (18)
    ENUM_TELETEX_AUTO -- 2
    ENUM_TELETEX_UTF8 -- 10 (16)

  SignedAttributes         REG_MULTI_SZ =
    0: RequesterName

  EKUOIDsForPublishExpiredCertInCRL REG_MULTI_SZ =
    0: 1.3.6.1.5.5.7.3.3 Code Signing
    1: 1.3.6.1.4.1.311.61.1.1 Kernel Mode Code Signing

  CommonName               REG_SZ = xxxxxxxxRootCA

  Enabled                  REG_DWORD = 1
  PolicyFlags              REG_DWORD = 0
  CertEnrollCompatible     REG_DWORD = 0
  CRLEditFlags             REG_DWORD = 100 (256)
    EDITF_ENABLEAKIKEYID -- 100 (256)

  CRLFlags                 REG_DWORD = 2
    CRLF_DELETE_EXPIRED_CRLS -- 2

  InterfaceFlags           REG_DWORD = 641 (1601)
    IF_LOCKICERTREQUEST -- 1
    IF_NOREMOTEICERTADMINBACKUP -- 40 (64)
    IF_ENFORCEENCRYPTICERTREQUEST -- 200 (512)
    IF_ENFORCEENCRYPTICERTADMIN -- 400 (1024)

  EnforceX500NameLengths   REG_DWORD = 1
  SubjectTemplate          REG_MULTI_SZ =
    0: Mail
    1: CommonName
    2: OrganizationalUnit
    3: Organization
    4: Locality
    5: State
    6: DomainComponent
    7: Country

  ClockSkewMinutes         REG_DWORD = a (10)
  LogLevel                 REG_DWORD = 3

  HighSerial               REG_DWORD = 16 (22)
  CAServerName             REG_SZ = xxxxxxxxx.xxxxxxxx.xxx
  ValidityPeriod           REG_SZ = Years
  ValidityPeriodUnits      REG_DWORD = 1
  KRACertHash              REG_MULTI_SZ =

  KRACertCount             REG_DWORD = 0
  KRAFlags                 REG_DWORD = 0

  CRLPublicationURLs       REG_MULTI_SZ =
    0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
    CSURL_SERVERPUBLISH -- 1
    CSURL_SERVERPUBLISHDELTA -- 40 (64)

    1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
    CSURL_SERVERPUBLISH -- 1
    CSURL_ADDTOCERTCDP -- 2
    CSURL_ADDTOFRESHESTCRL -- 4
    CSURL_ADDTOCRLCDP -- 8
    CSURL_SERVERPUBLISHDELTA -- 40 (64)

    2: 0:http://%1/CertEnroll/%3%8%9.crl

    3: 0:file://%1/CertEnroll/%3%8%9.crl

    4: 6:http://yyyyyyyyyy.yyyyyyyy.yyy/certdata/%3%8%9.crl
    CSURL_ADDTOCERTCDP -- 2
    CSURL_ADDTOFRESHESTCRL -- 4


  CRLPeriod                REG_SZ = Years
  CRLPeriodUnits           REG_DWORD = n

  CRLOverlapPeriod         REG_SZ = Hours
  CRLOverlapUnits          REG_DWORD = 0
  CRLDeltaPeriod           REG_SZ = Days
  CRLDeltaPeriodUnits      REG_DWORD = 0
  CRLDeltaOverlapPeriod    REG_SZ = Minutes

  CRLDeltaOverlapUnits     REG_DWORD = 0
  CAXchgValidityPeriod     REG_SZ = Weeks
  CAXchgValidityPeriodUnits REG_DWORD = 1
  CAXchgOverlapPeriod      REG_SZ = Days
  CAXchgOverlapPeriodUnits REG_DWORD = 1

  MaxIncomingMessageSize   REG_DWORD = 10000 (65536)
  MaxIncomingAllocSize     REG_DWORD = 10000 (65536)
  CACertPublicationURLs    REG_MULTI_SZ =
    0: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt
    CSURL_SERVERPUBLISH -- 1

    1: 3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
    CSURL_SERVERPUBLISH -- 1
    CSURL_ADDTOCERTCDP -- 2

    2: 0:http://%1/CertEnroll/%1_%3%4.crt

    3: 0:file://%1/CertEnroll/%1_%3%4.crt

    4: 2:http://yyyyyyyyyyy.yyyyyyyyy.yyy/certdata/%1%3%4.crt
    CSURL_ADDTOCERTCDP -- 2


  CACertHash               REG_MULTI_SZ =
    0: nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn

  Security                 REG_BINARY =
    Allow CA Administrator      BUILTIN\Administrators
    Allow Certificate Manager   BUILTIN\Administrators
    Allow CA Administrator      xxxxxxxxxx\Domain Admins
    Allow Certificate Manager   xxxxxxxxxx\Domain Admins
    Allow CA Administrator      xxxxxxxxxxx\Enterprise Admins
    Allow Certificate Manager   xxxxxxxxxxxx\Enterprise Admins
    Allow Enroll        NT AUTHORITY\Authenticated Users


  SetupStatus              REG_DWORD = 1
    SETUP_SERVER_FLAG -- 1

  CRLNextPublish           REG_BINARY = date and time here
  CAXchgCertHash           REG_MULTI_SZ =
    0: nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn

  AuditFilter              REG_DWORD = 7f (127)
CertUtil: -getreg command completed successfully.

2) Debug logs: certutil -setreg ca\debug 0xffffffe3 try to start certificate services provide contents of %windir%\certsrv.log


========================================================================
Opened Log: 7/25/2015 3:57 PM 38.996s
GMT - 4.00
certca.dll: 6.3:9600.17415 retail
certsrv.exe: 6.3:9600.17480 retail
503.1861.0:<2015/7/25, 15:57:39>: 0x0 (WIN32: 0)
508.1341.0:<2015/7/25, 15:57:39>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND): DBMaxReadSessionCount
468.129.0:<2015/7/25, 15:57:39>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
437.625.0:<2015/7/25, 15:57:39>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): OfficerRights
437.625.0:<2015/7/25, 15:57:39>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): EnrollmentAgentRights
437.625.0:<2015/7/25, 15:57:39>: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND): RoleSeparationEnabled
CertSrv: Opening Database C:\Windows\system32\CertLog\xxxxxxxxxxxxxxRootCA.edb
CertSrv: Database open
420.385.0:<2015/7/25, 15:57:40>: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
452.722.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): xxxxxxxxxxxxxxRootCA
513.761.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
513.8999.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): xxxxxxxxxxxxxxRootCA
513.9034.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
452.722.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): xxxxxxxxxxxxxxRootCA
513.761.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
513.8999.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET): xxxxxxxxxxxxxxRootCA
513.9031.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
513.9440.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
513.12895.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
508.2108.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.1324.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.1876.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.1571.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
517.270.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.2141.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
503.2205.0:<2015/7/25, 15:57:40>: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertSrv: Exit Status = Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET)


certutil -delreg ca\debug

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\xxxxxxxxxxRootCA\debug:

Old Value:
  debug REG_DWORD = ffffffe3 (-29)
CertUtil: -delreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.



  • Edited by caracos 18 hours 4 minutes ago
Free Windows Admin Tool Kit Click here and download it now
July 25th, 2015 8:08pm

Appreciate the modification for privacy, so you will have to translate this to your specific environment. On the CA registry output, there was a value called CACertHash. Note this value, it will replace the <CACertHash> value below.

certutil -store MY "<CACertHash>"

If that reports an error about the key container, which I suspect it will, run the following to see if the key and certificate can be re-linked.

certutil -repairstore MY "<CACertHash>"

July 25th, 2015 9:12pm

It didn't throw an error, here's the output.

C:\Windows\System32\CertLog>certutil -store MY "nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn"

MY "Personal"
================ Certificate 0 ================
Serial Number: nnnnnnnnnnnnnnnnnnnnnnnnnnn
Issuer: CN=xxxxxxxxxxxxxRootCA, DC=xxxxxxx, DC=xxx
 NotBefore: 6/17/2014 9:50 AM
 NotAfter: 6/17/2019 10:00 AM
Subject: CN=xxxxxxxxxxxxRootCA, DC=xxxxxxxx, DC=xxx
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn
  Key Container = xxxxxxxxRootCA
  Provider = Microsoft Software Key Storage Provider
Missing stored keys
Encryption test passed
CertUtil: -store command completed successfully.

The second command showed below error and security window came out asking "select smart card device", I'm not using that thus I click on the cancel button and here's the output.

C:\Windows\System32\CertLog>certutil -repairstore MY "nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn"
MY "Personal"
================ Certificate 0 ================
Serial Number: nnnnnnnnnnnnnnnnnnnnnnnnnn
Issuer: CN=STWSVPKI001RootCA, DC=washgas, DC=com
 NotBefore: 6/17/2014 9:50 AM
 NotAfter: 6/17/2019 10:00 AM
Subject: CN=xxxxxxxxxxxxRootCA, DC=xxxxxx, DC=xxx
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn
  Key Container = xxxxxxxxxxxxxRootCA
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset
Encryption test passed
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808 NTE_PERM)
CertUtil: Access denied.

Free Windows Admin Tool Kit Click here and download it now
July 25th, 2015 10:56pm

It didn't throw an error, here's the output.

C:\Windows\System32\CertLog>certutil -store MY "nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn"

MY "Personal"
================ Certificate 0 ================
Serial Number: nnnnnnnnnnnnnnnnnnnnnnnnnnn
Issuer: CN=xxxxxxxxxxxxxRootCA, DC=xxxxxxx, DC=xxx
 NotBefore: date and time here
 NotAfter: date and time here
Subject: CN=xxxxxxxxxxxxRootCA, DC=xxxxxxxx, DC=xxx
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn
  Key Container = xxxxxxxxRootCA
  Provider = Microsoft Software Key Storage Provider
Missing stored keys
Encryption test passed
CertUtil: -store command completed successfully.

The second command showed below error and security window came out asking "select smart card device", I'm not using that thus I click on the cancel button and here's the output.

C:\Windows\System32\CertLog>certutil -repairstore MY "nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn"
MY "Personal"
================ Certificate 0 ================
Serial Number: nnnnnnnnnnnnnnnnnnnnnnnnnn
Issuer: CN=STWSVPKI001RootCA, DC=washgas, DC=com
 NotBefore: date and time here
 NotAfter: date and time here
Subject: CN=xxxxxxxxxxxxRootCA, DC=xxxxxx, DC=xxx
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn
  Key Container = xxxxxxxxxxxxxRootCA
  Provider = Microsoft Software Key Storage Provider
Missing stored keyset
Encryption test passed
CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808 NTE_PERM)
CertUtil: Access denied.


  • Edited by caracos 18 hours 7 minutes ago
July 26th, 2015 2:48am

Ok, let's see if the key file exists. Run the first command again, replacing the hash as above.


certutil -store MY "<CACertHash>"

In the output, note the value of "Key Container", it will be a GUID like entry similar to: f3a0399245a1a2e8573aa5ba33704306_6a575a61-37ca-4ebe-a74a-7076c

Then, open explorer and navigate to %programdata%\Microsoft\Crypto\RSA\MachineKeys Look for a file a filename that matches the guid from above.

If it's not there, then someone or something deleted the key. Your only option is to restore the key/CA from a systemstate backup or if you have a backup of the CA certificate including the private key (which would be a p12/pfx

Free Windows Admin Tool Kit Click here and download it now
July 26th, 2015 11:48am

I don't have a GUID when I ran the command. I pasted the output below. The key container is the server name., I went to the path suggested and I can see 3 files in that localization Feb and Mar 2017 and Jul 2-15

I don't have a system backup nor backup o the server. I have a .p7b file would it be enough?

certutil -store MY "<CACertHash>"

MY "Personal"
================ Certificate 0 ================
Serial Number: nnnnnnnnnnnnnnnnnnnnnnnnnnn
Issuer: CN=xxxxxxxxxxxxxRootCA, DC=xxxxxxx, DC=xxx
 NotBefore: date and time here
 NotAfter: date and time here
Subject: CN=xxxxxxxxxxxxRootCA, DC=xxxxxxxx, DC=xxx
Certificate Template Name (Certificate Type): CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn nn
  Key Container = xxxxxxxxRootCA
  Provider = Microsoft Software Key Storage Provider
Missing stored keys
Encryption test passed
CertUtil: -store command completed successfully.

July 26th, 2015 4:41pm
I found a .pfx file and was able to restore from that file. My rootCA now is up and running. Thank you so much for your help.
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2015 5:38pm
Glad you had the pfx, it's unusual to have that, so lucky you did. You should grab a system state backup, or at least a CA service backup via the UI (key, certificate and database) or commandline to protect yourself in the future.
July 26th, 2015 8:49pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics