The CA certificate that disappeared after the CMOS battery died
A colleague on our PKI Server alias got the following question from a partner:
Our newly installed Windows Server 2008 R2 CA server got the time settings on it accidentally reset back to the BIOS defaults (1/1/2011) when the batteries on the motherboard were temporarily removed.
When the CA server was restarted afterwards we noticed that the CA server certificate was no longer present in the User store of the computer account and the ADCS service was unable to start afterwards.
It turns out the default setting for the ADCS service in Windows Server 2008 R2 is to remove the public keys of any CA server certificate that has expired or is not yet valid.
Looking at the CA certificate of the affected server it was installed in late March which made the CA certificate fall under the 'not yet valid' category after the backwards time jump which consequently caused the ADCS service to remove it from the store when it started up.
Another colleague (with me being the fly sitting on a CA-related distribution list) located registry settings which can be used to reverse this behaviour.
certutil -setreg caCRLFlags +CRLF_PRESERVE_EXPIRED_CA_CERTS
The alternative would be to replace the CA certificate and make sure the time of the machine has been corrected back to the present before the ADCS service starts up.
Certutil tasks for configuring a Certification Authority (CA)