I have a new CA running on Windows 2008 R2 which is failing to start after reboot, the SubCA certificate's private key permissions were "updated" in an ill-conceived attempt to provide read access for a softcert recovery process via network service.
The CA fails to restart and in the event viewer application logs we see:
--------------------
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 9/22/2014 3:59:44 PM
Event ID: 100
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: SERVERNAME
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. CA-NAME An internal error occurred. 0x80090020 (-2146893792).
-----------------
When trying to view the private key permissions through the MMC snap-in, a pop-up reports an internal error occured.
We are also seeing warnings in the application logs:
----------------
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID related to certsrv.exe but its configuration matches a working CA when checked with the Component Services snap-in.
-----------------
Is there a way to use certutil -repairstore or other means to reset the default permissions on the private key and allow the CA to start? The CA is HSM attached for CSP and the security world is online and available.
Thanks for any information or tips, search did not have any leads for this that I could find.