Hello All.
I've found myself with an odd issue. A few months ago I migrated from an old 2008R2 Enterprise CA to a new 2012R2 Core Enterprise CA. I exported the Root CA cert from the old server using the following:
certutil.exe backupkey C:\Temp\Migration
That made a P12 file with the private key. I then imported the Root CA on the new server (after decommissioning the old server, installing ADCS, etc) using this command:
certutil.exe importpfx "blah.p12"
I continued the rest of the CA Migration steps per TechNet articles (http://technet.microsoft.com/en-us/library/31eca881-0744-447a-ae7a-597310b9d9bf(v=ws.10)#BKMK_PrepDest
http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx).
Things have been fine for months but I wanted to do a scheduled backup of our CA cert and got an error:
C:\Scripts>Certutil.exe -p Blah -backupkey
CABackupCertUtil: -backupKey command FAILED: 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)
CertUtil: Key not valid for use in specified state.
This error appears to be because my Root CA cert is marked as non-exportable. I verified this by using the Certificates MMC and the option is greyed out.
My understanding is that importing a PFX with no options marks the private key as exportable but for some reason mine didn't. I'm not sure why but the issue at hand is to fix this for the future.
I can see 2 possible options. To re-import the P12 file (I still have the original file) or to possibly renew the Root CA certificate although I'm not sure if that will allow it to be exportable.
We have a lot of certificates issued by this new CA so I'm looking for suggestions or caveats since I can't find anyone else with similar issues.
Thanks!