Link to home
Start Free TrialLog in
Avatar of Chris H
Chris HFlag for United States of America

asked on

CA role is living on a DC that needs to be rebuilt.

Domain Controller with CA has some issues. Need guidance for a rebuild.

My plan was to back up the CA, demote and reinstall with the same name, promote and reinstall the CA role and then restore from backup of CA.  However, step one (backup CA) threw a warning that one of the private keys can't export.

Any help is appreciated.

Thanks in advance!!



PS The error from the backup attempt of the CA is:
Windows cannot backup one or more private keys because the CSP does not support key export
Avatar of David Favor
David Favor
Flag of United States of America image

Days of requiring private CAs have long been over since https://LetsEncrypt.org began providing free certs.

For a setup once + forget forever solution, use https://LetsEncrypt.org + you'll be up + running in a few minutes.

If you go the route of running a private CA, instructions about how you go about this tend to be unique for each environment.

Refer to your notes when you first setup your CA + just go through your entire command sequence again.
Days of requiring private CAs have long been over since https://LetsEncrypt.org began providing free certs.
That is not true and not what a PKI is used for. I suspect you are thinking of self-signed certs

Just as a check, did you look through these steps?
https://social.technet.microsoft.com/Forums/en-US/453a2991-2b65-414b-b0f4-ec90f8204889/windows-cannot-backup-one-or-more-private-keys-because-the-csp-does-not-support-key-export?forum=winserversecurity
Avatar of Chris H

ASKER

I googled this already......  I was hoping to find an expert in CA.  At this point, I'm restoring the original VM to see if there is a magical combination of exporting the key and what have you...  I'll update with my findings and hopefully come up with a solution for everyone in my shoes.
I googled this already......
Really no need for that. Like I said in my comment Just as a check

Good luck
Avatar of Chris H

ASKER

Sorry if that came off as snide.  I was down and out when I typed that.

I rebuilt the server and restored the original VM.  From their, I corrected the PKI issue on the old server, exported the CA and restored it to the new one successfully.  

As a precaution, I've removed everyone's ability to RDP into this server in the future to keep it in pristine condition.

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Chris H
Chris H
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial