question

GeoffMajor-3423 avatar image
0 Votes"
GeoffMajor-3423 asked GeoffMajor-3423 published

Can't delete private key associated with Certificate Authority

Hello,

I'm trying to retire one of our Doman Controllers that has Certificate Services running on it. I'm trying to uninstall Certifiicate Services, but when I run

certutil -delkey CertificateAuthorityName

I get the following

CertUtil: -delkey command FAILED: 0x80090013 (-2146893805)
CertUtil: Invalid provider specified.

Can anyone help?

windows-server-security
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

apparently, there is no such key.

0 Votes 0 ·

I've now removed the Network Policy and Access Services role, and now get the following.

CertUtil: -delkey command FAILED: 0x80090016 (-2146893802)
CertUtil: Keyset does not exist

0 Votes 0 ·

skip this step and move forward

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered GeoffMajor-3423 published

Hi,
Thank you for waiting and replying.
It may be due to the permission of the attachment, I cannot open it.
Can you show it to us in another way
Pay attention to privacy protection when uploading
Hope this information can help you
Best wishes
Vicky

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Vicky,

I've tried to upload it as a txt file, but get a message saying "no such upload".

Kind Regards,
Geoff

0 Votes 0 ·

Hello Vicky,

Hopefully you will be able to open this file.

Kind Regards,
Geoff

111359-certutil1.txt



0 Votes 0 ·
certutil1.txt (4.3 KiB)

2) The certsrv.log contents

Opened Log: 29/06/2021 15:32 34.104s
GMT + 1.00
certcli.dll: 6.1:7601.24545 retail
certsrv.exe: 6.1:7600.16385 retail
508.1321.0:<2021/6/29, 15:32:34>: 0x2 (WIN32: 2): DBMaxReadSessionCount
CertSrv: Opening Database C:\Windows\system32\CertLog\smmt-IF-SRV01-CA.edb
CertSrv: Database open
420.386.0:<2021/6/29, 15:32:47>: 0x2 (WIN32: 2)
419.5484.0:<2021/6/29, 15:32:47>: 0x80090029 (-2146893783): crypto::FS_PROP_KEY_USAGE_COUNT_ENABLED
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=21
Issuer: CN=smmt-IF-SRV01-CA, DC=smmt, DC=co, DC=uk
NotBefore: 12/06/2013 10:18
NotAfter: 12/06/2018 10:27
Subject: CN=smmt-IF-SRV01-CA, DC=smmt, DC=co, DC=uk
Serial: 7df97f84e3ace48e470b974272bc1e9b
Template: CA
74 85 5b 0d 4a 00 59 18 56 35 b7 e2 44 7b 33 b4 c6 8e e6 86
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_NOT_TIME_VALID (0x1)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

0 Votes 0 ·

Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
74 85 5b 0d 4a 00 59 18 56 35 b7 e2 44 7b 33 b4 c6 8e e6 86
Issuer: CN=smmt-IF-SRV01-CA, DC=smmt, DC=co, DC=uk
NotBefore: 12/06/2013 10:18
NotAfter: 12/06/2018 10:27
Subject: CN=smmt-IF-SRV01-CA, DC=smmt, DC=co, DC=uk
Serial: 7df97f84e3ace48e470b974272bc1e9b
Template: CA
74 85 5b 0d 4a 00 59 18 56 35 b7 e2 44 7b 33 b4 c6 8e e6 86
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)


419.4403.0:<2021/6/29, 15:32:47>: 0x800b0109 (-2146762487)
513.11105.0:<2021/6/29, 15:32:47>: 0x800b0109 (-2146762487)
513.11133.0:<2021/6/29, 15:32:47>: 0x800b0101 (-2146762495)
513.11227.0:<2021/6/29, 15:32:47>: 0x800b0101 (-2146762495)
513.11306.0:<2021/6/29, 15:32:47>: 0x800b0101 (-2146762495)
513.12045.0:<2021/6/29, 15:32:47>: 0x800b0101 (-2146762495)
513.11488.0:<2021/6/29, 15:32:47>: 0x800b0101 (-2146762495)
513.11580.0:<2021/6/29, 15:32:47>: 0x800b0101 (-2146762495)
513.12090.0:<2021/6/29, 15:32:47>: 0x800b0101 (-2146762495)
513.901.0:<2021/6/29, 15:32:47>: 0x800b0101 (-2146762495)
1006.794.0:<2021/6/29, 15:32:48>: 0x80070490 (WIN32: 1168): msPKI-Key-Security-Descriptor

0 Votes 0 ·
VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered GeoffMajor-3423 commented

What's the history of the Root CA? If there is a subordinate that is needing renewal, I would suspect the CAs have been around for a while. Is it possible the Root CA was migrated from another OS in the past?

A few details would help. Can you provide the following details?

1) certutil -getreg ca

2) Debug logs:

certutil -setreg ca\debug 0xffffffe3

try to start certificate services

provide contents of %windir%\certsrv.log

certutil -delreg ca\debug

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Vicky,

There is no subordinate CA, and it has not been migrated from another OS.

I'm trying to post the results of 1) and 2) but they exceed the characters allowed here.

Geoff

0 Votes 0 ·

I see you can attach files so I'll add it here.110335-certlogs.pdf


0 Votes 0 ·
certlogs.pdf (273.8 KiB)