PHReeK.oRG

We began getting this error recently and I only noticed it when I needed to renew a LAN IIS certificate and Web Enrollment reported it could not find any templates, and the IIS Manager domain certificate request could not complete. I was getting Event ID 100 for CertificationAuthority with the message:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. ca-server Keyset does not exist 0x80090016 (-2146893802).

The process I went through to resolve the issue was:

1. Backup the registry settings and CA database according to MS KB 298138
2. Uninstall the ADCS role and reboot when prompted.
3. Re-install the ADCS role ticking Certification Authority and Certification Authority Web Enrollment, select the existing private key when prompted.
4. Restore the registry settings and CA database according to MS KB 298138.
5. Ensure that “SYSTEM” and “Administrators” are granted “Full Control” access to “C:\ProgramData\Application Data\Microsoft\Crypto\RSA\MachineKeys”.
6. Open IIS Manager on ca-server, expand the appropriate IIS site (usually Default) and ensure that “Require SSL” is NOT selected for the “CertEnroll” virtual directory.

I was then able to go back to my IIS Intranet server and request a new domain certificate through IIS Manager and could also generate a CSR and complete a request by visiting https://ca-server/certsrv.