Thursday, 21 November 2019

Recovering from a deleted CA root certificate

Recently an expired Windows Active Directory root CA certificate was removed, after the server was rebooted a few weeks later the ADCS  (Active Directory Certificate Services) would not start. When you right clicked inside adcs.msc you would be presented with this error. We did try to export the expired certificate but it would not xport the private key, as there was a newer certificate with the same name we proceeded to remove the old one.

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. (companyXXXX) Keyset does not exist 0x80090016 (-2146893802 NTE_BAD_KEYSET).


I realised what had happened, but I had not had to restore a certificate before. 

The path you need to restore is:

C:\ProgramData\Microsoft\Crypto\RSA

The fix is to start Windows Backup, select restore and browse to the path C:\ProgramData\Microsoft\Crypto\RSA 


In the restore options screen select "Do not recover the items that already exist" and click next.


Hope fully you see a few KB restored and the restore completed.


Next, pop back into ADCS and start the CA, which should then go green and you back up!


The last task is to renew the CA certificate, then you can delete the old expired one.