Windows 2008 CA - Keyset does not exist 0x80090016 (-2146893802)← Back

We began getting this error recently and I only noticed it when I needed to renew a LAN IIS certificate and Web Enrollment reported it could not find any templates, and the IIS Manager domain certificate request could not complete. I was getting Event ID 100 for CertificationAuthority with the message:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. ca-server Keyset does not exist 0x80090016 (-2146893802).
The process I went through to resolve the issue was:
- Backup the registry settings and CA database according to MS KB 298138
- Uninstall the ADCS role and reboot when prompted.
- Re-install the ADCS role ticking Certification Authority and Certification Authority Web Enrollment, select the existing private key when prompted.
- Restore the registry settings and CA database according to MS KB 298138.
- Ensure that “SYSTEM” and “Administrators” are granted “Full Control” access to “C:\ProgramData\Application Data\Microsoft\Crypto\RSA\MachineKeys”.
- Open IIS Manager on ca-server, expand the appropriate IIS site (usually Default) and ensure that “Require SSL” is NOT selected for the “CertEnroll” virtual directory.
I was then able to go back to my IIS Intranet server and request a new domain certificate through IIS Manager and could also generate a CSR and complete a request by visiting https://ca-server/certsrv.
Comments
Karl
2016-03-15
I was unable to backup the edb.
The Service will not start (keyset does not exist).
certutil -backup returns FAILED 0x80090011 Object was not found.