How to revoke SSL certificate, if CA service is not starting with message: Could not build a certificate chain for CA certificate 5 for mydomain CA. The signature of the certificate can not be verified. 0x80096004 (-2146869244).

Greetings!

There is 2003 server with CA service installed.

Root cert is about to expire, and is not going to update automatically, so I'v tried to do it manually.

I have generated request on my CA server, copy it to root carrier machine (2003 server, not in local domain but with CA service tuned for my domain and it holds main root cert), issued this request, and copy this issued cert back to CA machine.

When i apply it, CA service going down with the next to error messages:

Could not build a certificate chain for CA certificate 5 for mydomain CA. The signature of the certificate can not be verified. 0x80096004 (-2146869244).

Certificate Services did not start: Could not load or verify the current CA certificate.  mydomain CA The signature of the certificate can not be verified. 0x80096004 (-2146869244).

After trying some steps, I found certutil command and begin to experiment with it. This is what I have found:

C:\CAConfig>certutil -store
================ Certificate 0 ================
Serial Number: 06376c00aa00648a11cfb8d4aa5c35f4
Issuer: CN=Root Agency
Subject: CN=Root Agency
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fe e4 49 ee 0e 39 65 a5 24 6f 00 0e 87 fd e2 a0 65 fd 89 d4
No key provider information
No stored keyset property

================ Certificate 1 ================
Serial Number: 61505f7c00030000000d
Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
Subject: CN=mydomain CA, DC=mydomain, DC=ru
CA Version: V5.0
Certificate Template Name: SubCA
Non-root Certificate
Template: SubCA, Subordinate Certification Authority
Cert Hash(sha1): dc 90 96 9e 3e 10 6e 44 39 85 c3 cb ae 38 b2 4b bc ec 6c 96
  Key Container = mydomain CA
  Provider = Microsoft Strong Cryptographic Provider
Signature test passed

================ Certificate 2 ================
Serial Number: 236c971e2bc60d0bf97460def108c3c3
Issuer: OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=U
S
Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU
=VeriSign International Server CA - Class 3, OU=VeriSign, Inc., O=VeriSign Trust
 Network
Non-root Certificate
Cert Hash(sha1): 8b 24 cd 8d 8b 58 c6 da 72 ac e0 97 c7 b1 e3 ce a4 dc 3d c6
No key provider information
No stored keyset property

================ Certificate 3 ================
Serial Number: 52c820137c85a7edf217ce82c8451673
Issuer: OU=Class 2 Public Primary Certification Authority, O=VeriSign, Inc., C=U
S
Subject: CN=VeriSign Class 2 CA - Individual Subscriber, OU=www.verisign.com/rep
ository/RPA Incorp. By Ref.,LIAB.LTD(c)98, OU=VeriSign Trust Network, O=VeriSign
, Inc.
Non-root Certificate
Cert Hash(sha1): 7b 02 31 2b ac c5 9e c3 88 fe ae 12 fd 27 7f 6a 9f b4 fa c1
No key provider information
No stored keyset property

================ Certificate 4 ================
Serial Number: 61079602000000000007
Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
Subject: CN=mydomain CA, DC=mydomain, DC=ru
CA Version: V4.0
Certificate Template Name: SubCA
Non-root Certificate
Template: SubCA, Subordinate Certification Authority
Cert Hash(sha1): 3c f2 9f c9 5d b5 05 b1 27 4c 54 3b d4 bd 82 f5 61 6a 62 3d
No key provider information
Signature test passed

================ Certificate 5 ================
Serial Number: 0d8b4feeaad2185bf4756a9d29e17ffb
Issuer: OU=Class 1 Public Primary Certification Authority, O=VeriSign, Inc., C=U
S
Subject: CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated, OU=
there_was_verisign_address Incorp. By Ref.,LIAB.LTD(c)98, OU=VeriSign Trust
 Network, O=VeriSign, Inc.
Non-root Certificate
Cert Hash(sha1): 12 51 9a e9 cd 77 7a 56 01 84 f1 fb d5 42 15 22 2e 95 e7 1f
No key provider information
No stored keyset property

================ Certificate 6 ================
Serial Number: 198b11d13f9a8ffe69a0
Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c)
1997 Microsoft Corp.
Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation,
OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19
97 Microsoft Corp.
Non-root Certificate
Cert Hash(sha1): 10 9f 1c ae d6 45 bb 78 b3 ea 2b 94 c0 69 7c 74 07 33 03 1c
No key provider information
No stored keyset property
================ CRL 0 ================
Issuer:
    OU=VeriSign Commercial Software Publishers CA
    O=VeriSign, Inc.
    L=Internet
CRL Hash(sha1): a3 77 d1 b1 c0 53 88 33 03 52 11 f4 08 3d 00 fe cc 41 4d ab

================ CRL 1 ================
Issuer:
    CN=mydomain CA
    DC=mydomain

    DC=ru
CA Version: V4.0
CRL Number: CRL Number=1681
Delta CRL Indicator: Minimum Base CRL Number=1677
CRL Hash(sha1): a1 b9 a7 98 fe fa 30 86 2f 09 7d d9 2a b5 ed 1a 6b 40 b7 81

================ CRL 2 ================
Issuer:
    CN=mydomain CA
    DC=mydomain
    DC=ru
CA Version: V4.0
CRL Number: CRL Number=1677
CRL Hash(sha1): 18 d2 11 01 68 b6 32 b1 6b 2a 24 75 56 ea 56 a0 27 69 07 5a
CertUtil: -store command completed successfully.

************************************************************************************************************************

C:\CAConfig>certutil -TCAinfo
================================================================
CA Name: mydomain CA

Machine Name: ca.mydomain.ru

DS Location: CN=mydomain CA,CN=Enrollment Services,CN=Public Key Services,CN=Servi
ces,CN=Configuration,DC=mydomain,DC=ru

Cert DN: CN=mydomain CA, DC=mydomain, DC=ru

CA Expiration (Years): 1

Connecting to ca.mydomain.ru\mydomain CA ...
Server could not be reached: Server execution failed 0x80080005 (-2146959355)

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=4 dwErrorStatus=1000048
  Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
  Subject: CN=mydomain CA, DC=mydomain, DC=ru
  Serial: 61505f7c00030000000d
  Template: SubCA
  dc 90 96 9e 3e 10 6e 44 39 85 c3 cb ae 38 b2 4b bc ec 6c 96
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
  Subject: CN=mydomain CA Root, DC=mydomain, DC=ru
  Serial: 71bb096f0958139c43d5cd6e049c57ed
  be 83 f9 0e 95 f9 bb 99 65 35 96 62 a9 99 19 18 21 90 64 63
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  dc 90 96 9e 3e 10 6e 44 39 85 c3 cb ae 38 b2 4b bc ec 6c 96
Full chain:
  7d b0 cc de b7 19 5d 65 62 5f fc 30 2c 72 0d b7 32 66 03 3c
  Issuer: CN=mydomain CA Root, DC=mydomain, DC=ru
  Subject: CN=mydomain CA, DC=mydomain, DC=ru
  Serial: 61505f7c00030000000d
  Template: SubCA
  dc 90 96 9e 3e 10 6e 44 39 85 c3 cb ae 38 b2 4b bc ec 6c 96
The signature of the certificate can not be verified. 0x80096004 (-2146869244)
------------------------------------

Supported Certificate Templates:
Cert Type[0]: IPSECIntermediateOffline (IPSec (Offline request))
Cert Type[1]: Computer(Non-Domain) (Computer (Non-Domain))
Cert Type[2]: WebServer(mydomain) (Web Server (mydomain))
Cert Type[3]: CodeSigning(mydomain) (Code Signing (mydomain))
Cert Type[4]: DirectoryEmailReplication (Directory Email Replication)
Cert Type[5]: DomainControllerAuthentication (Domain Controller Authentication)
Cert Type[6]: EFSRecovery (EFS Recovery Agent)
Cert Type[7]: EFS (Basic EFS)
Cert Type[8]: DomainController (Domain Controller)
Cert Type[9]: Machine (Computer)
Cert Type[10]: User (User)
Cert Type[11]: SubCA (Subordinate Certification Authority)
Validated Cert Types: 12

================================================================
ca.mydomain.ru\mydomain CA:
  The signature of the certificate can not be verified. 0x80096004 (-2146869244)

  OFFLINE

CertUtil: -TCAInfo command completed successfully.