Certificate Services fails to start

From: Benkman (Benkman_at_discussions.microsoft.com)
Date: 11/22/04


Date: Sun, 21 Nov 2004 17:35:12 -0800

I have a Windows 2000 (SP4) Standalone Root CA running Certificate Services.

Key storage is in an nCipher nShield F2 HSM using the nCipher enahnced CSP.

Certificate Services was starting but when I last booted up the Root CA and
loaded the keys into HSM Certificate Services failed to start with the
following errors:

Application Log:
The description for Event ID ( 42 ) in Source ( CertSvc ) and Support for
details. The following information is part of the event: xxxxxCA, A
certificate chain processed correctly, but terminated in a root certificate
which is not trusted by the trust provider. 0x800b0109 (-2146762487), 0.

System Log:
Certsvc EventID: 7024
The Certificate Services service terminated with service-specific error
2148204809.

I see article 822626 refers to these errors but in this case certificate
sevices still does not start.

The Root CA has a 4096-bit key and I'm thinking that this error could be
related to a timeout issue accessing the key within HSM.

Has anyone experienced similar problems like this? Can anyone describe the
detail of the Validation process for the Root CA?

Please Help!

Benkman.



Relevant Pages

  • CA Root Certificate storage location
    ... I have accidently "killed" our Enterprise Root CA running on Windows ... So I have the "old" registry, Certificate Services ... Database etc. Unfortunatly I don't made a backup with "certutil -backup" ... ... Is there any way to recover the old Root cert from the NTBackup? ...
    (microsoft.public.platformsdk.security)
  • enterprise
    ... about certificate services & PKI..... ... So that means we need a root CA ... the cost to do this seems a bit excessive. ... I have visited both Verisign & Thawte's sites, ...
    (microsoft.public.windows.server.security)
  • Enterprise Subordinate CA signed by third party Commercial CA like Verisign/Thawte/etc
    ... about certificate services & PKI..... ... So that means we need a root CA ... the cost to do this seems a bit excessive. ... I have visited both Verisign & Thawte's sites, ...
    (microsoft.public.windows.server.security)
  • Re: DCOM error with NTBACKUP and Certificate Services
    ... configuration to allow for an online enterprise root CA - ... To backup the CA, Certificate Services ...
    (microsoft.public.win2000.security)