AD Certifcate Services will not start on SBS2011

AD Certificate service will not start on an SBS server. Errors include "Keyset does not exist 0x80090016" and AD Certificate services terminated with service specific error 2146893802. Using certutil I can see that two keys exist - one that expired in 2016 fails the encryption test. The other, recently created passes signature test. When running the CA MMC I get no results because the service is not running. Keys can be seen in IE certificate properties. I am unable to delete the expired key command failed 0x800706ba the RPC server is unavailable. Security on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys is correct. Tried esentutl. Shows clean shutdown. Tried bot a recovery and a repair but neither has helped. I don't seem to be having any certificate problems but I do want to migrate away from SBS to standalone Exchange and S2016 and I expect this certificate issue will cause problems. Don't have any suitable backups of the certificates.