I have assumed support for server that has some Certificate Issues.  The original install of CA was done as a Standalone CA instead of an Enterprise CA (a single server network).  I was going to migrate to the Enterprise CA and the first step is to back up the CA.  When I did I got the message that "Windows cannot backup one or more private keys because the CSP does not support key export."

I then looked in the Issued Certificates and found many Certs with the same name (domainname\svr-name$) that were created with a CA Excxhange Template apparently issues each week. All the issued Certs look to be expired and I don't see a current CERT listed.

I am not sure how to proceed.  I have uploaded output of certutil and my registry key at

https://onedrive.live.com/redir?resid=ED7BDBD3D3BCA7DD!1501&authkey=!AN7hCpcOnrMyRL8&ithint=file%2cz

Hi,

from your cert list I can tell that your CA certificate 0 and 7 are not exportable and that is the problem here. The CA Exchange certs are okay and are reissued by default about every week. They are only used e.g. if a smart card key needs to be archived and they are only used to protect the transport of that key.

So I do not know how many certs you have in the wild and for what purpose but when I see how many CA certs you have I would say someone has played around with your CA and as it is not a 2-tier PKI I strongly recommend to start with a fresh PKI: 2-tier (offline Root CA and a online ussuing CA) and with SHA2.

Regards,

Lutz

Thanks for the reply.  The only thing this server uses certificates for is Domain Controller activities; nothing else. I'm not sure how I would proceed with your recommendation.  Should I backup CA and restore and ignore then upgrade to Enterprise? This is a small installation (12 pcs + server).

So you need LDAPS to this one domain controller? Overall it sounds a little over-engineered to have a PKI in such a small environment.

No LDAPS is not needed.  Only activity is Domain management.  Simpler is definitely better.

Just out of curiosity: Do you need a PKI for that at all? Certificates on domain controllers are not a hard requirement for AD.

PKI is not needed.  I always thought it was a necessity for AD.

Cool, so then your life should be even easier. Just in case you will ever need a PKI, then you already know where you can ask questions and more importantly get answers  ;-)

So is it as simple as uninstalling all the Certificate Roles and Features?

almost, but removing the role will keep a lot of things behind.

https://support.microsoft.com/en-us/kb/889250

from the link step 5 and 9 are the important ones for you. With step 9 you basically get, that you do not get entries in eventlog complaining about expired certificates.

Ok that looks fairly straightforward. Are there any negative repercussions from removing certificate services?

Not that I can see in your environment. If you have encrypted data in files or emails, or if you would certs for web servers or VPN it can be complicated.

almost, but removing the role will keep a lot of things behind.

https://support.microsoft.com/en-us/kb/889250

from the link step 5 and 9 are the important ones for you. With step 9 you basically get, that you do not get entries in eventlog complaining about expired certificates.

• Proposed as answer by Steven_Lee0510Microsoft contingent staff, Moderator Tuesday, July 14, 2015 1:25 AM

Over the weekend I went thru the process of removing the Certificate role as you recommended.  I am still getting errors in the log about certificate issue:

• The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
• Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
  Details:
  AddCoreCsiFiles : GetNextFileMapContent() failed.
  System Error:
  The parameter is incorrect

Any suggestions?

https://technet.microsoft.com/en-us/library/cc734096%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

In the above article is described how to remove expired domain controller certificates.

If you do not have a certificate installed at all you will see event id 29 popping up everytime KDC is started. So that can be then ignored.