Avatar of Chris H
Chris H
Flag for United States of America asked on

CA role is living on a DC that needs to be rebuilt.

Domain Controller with CA has some issues. Need guidance for a rebuild.

My plan was to back up the CA, demote and reinstall with the same name, promote and reinstall the CA role and then restore from backup of CA.  However, step one (backup CA) threw a warning that one of the private keys can't export.

Any help is appreciated.

Thanks in advance!!

PS The error from the backup attempt of the CA is:
Windows cannot backup one or more private keys because the CSP does not support key export
* certificate servicesWindows Server 2012Domain Controller

Avatar of undefined
Last Comment
Chris H

8/22/2022 - Mon
David Favor

Days of requiring private CAs have long been over since https://LetsEncrypt.org began providing free certs.

For a setup once + forget forever solution, use https://LetsEncrypt.org + you'll be up + running in a few minutes.

If you go the route of running a private CA, instructions about how you go about this tend to be unique for each environment.

Refer to your notes when you first setup your CA + just go through your entire command sequence again.
Shaun Vermaak

Days of requiring private CAs have long been over since https://LetsEncrypt.org began providing free certs.
That is not true and not what a PKI is used for. I suspect you are thinking of self-signed certs

Just as a check, did you look through these steps?
Chris H

I googled this already......  I was hoping to find an expert in CA.  At this point, I'm restoring the original VM to see if there is a magical combination of exporting the key and what have you...  I'll update with my findings and hopefully come up with a solution for everyone in my shoes.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Shaun Vermaak

I googled this already......
Really no need for that. Like I said in my comment Just as a check

Good luck
Chris H

Sorry if that came off as snide.  I was down and out when I typed that.

I rebuilt the server and restored the original VM.  From their, I corrected the PKI issue on the old server, exported the CA and restored it to the new one successfully.  

As a precaution, I've removed everyone's ability to RDP into this server in the future to keep it in pristine condition.

Chris H

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.