We currently have our own Production PKI environment set up complete with HSM backend. In a nutshell, we are running into a problem where the ADCS is notifying us that it cannot use the CSP with 86 and 88 errors. With a previous version of the software, the CAExchange certificate published to the HSM but we've upgraded the software since then and these warnings are now appearing. I revoke the CAExchange certificate, stop and start the ADCS and the 86, 88 warnings come up (The CAEXchange certificate comes back after i refresh the Enterprise PKI listing). To create a new CAExchange certificate after revoking an old one, does the ADCS need the ability to revoke the certificate on the HSM itself before being able to create a new one or should it just be able to create a new one without being able to access the older one.
If ADCS does indeed need access to the key of the old CAExchange certificate to revoke it, how do i go about exporting it from MS Strong Cryptographic Provider so i can import it to the HSM?
The ADCS starts fine and can publish new CRLs as its private key is also located on the same partition in the HSM utilising the same CSP.
86: Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. Keyset does not exist 0x80090016 (-2146893802)
88: Active Directory Certificate Services switched to the default provider for encryption keys. Microsoft Strong Cryptographic Provider
I run the commands: 'certutil -getreg ca\encryptionCSP' then 'certutil -csp "provider listed in previous command" -csptest' and the command completes successfully.