Renew Subordinate CA (Core) Certificate

Question

_{Monday, February 26, 2018 9:03 PM}

I'm Back! :) Again.

I have  feeling it's going to be Mark Cooper who answers this one.

I've been fighting with a PKI project for about a month now and it's been extremely painful for ONE major factor; CORE!

I love optimizing but in this case it has been really, really painful. Such as this bug which I've seen reported online for a long time. (Thanks Mark)

Then I had to fix a mistake I made in my Offline-Root-CA which showed a wrong CDP location in my PKI from the issued Sub-CA.

I'm actually currently working on fixing this issue and the reason for this post.

1) I first tried to simply take the existing CSR, and re-issue it, no issues on the re-issue (lol). However attempting to install the new issued cert on the Sub CA resulted in the following:

CertUtil: -installcert command FAILED: 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE)
CertUtil: The group or resource is not in the correct state to perform the requested operation.

At this point I had assumed it was due to the service being up and running, So from a remote mgmt machine via the CA snap-in MMC tool, shutdown the services, as well as from the Sub-CA ran "CertUtil -Shutdown"

*SIDE QUESTION* What exactly does "CertUtil -shutdown" do? Does it simply stop the cert services on the local machine, or all AD Cert services? How do you revert this command? I couldn't find a CertUtil -Start or any equivalent command.

Having failed here due to my ignorance, I decided to google in hopes of a solution. Sadly the best I could find was this.

First thing to note is Yet more bugs in the CA Snap-in Tool remotely, on top of the "Install CA Cert" literally not doing anything, once you install the cert via "CertUtil -installCert" The SubCA services come up fine up, but will be missing context menus, in this case "Renew CA Certificate".

So I decided to try the other suggested workaround "CertUtil RenewCert ReuseKeys", However they would receive an error as follows:

   CertUtil: -renewCert command FAILED: 0x80070003 (WIN32: 3)
   CertUtil: The system cannot find the path specified.

I however get the following error:

   CertUtil: -renewCert command FAILED: 0x80092004 (-2146885628 Crypt_E_NOT_FOUND)
   CertUtil: Cannot find object or property.

I'm a bit stumped right now... How do I accomplish this task?

All replies (5)

_{Tuesday, February 27, 2018 2:22 AM ✅Answered | 1 vote}

Just a quick update, I may have figured it out, I'll report back soon.

K I managed to get it to work, after analyzing my cmd results. I indeed was getting the error stated above.

E:\CA stuff>certutil -renewCert ReuseKeys
CertUtil: -renewCert command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.

E:\CA stuff>certutil -shutdown
CertUtil: -shutdown command completed successfully.

E:\CA stuff>certutil -installcert -f Corp-Sub-CA-Signed-Cert.p7b
CertUtil: -installCert command FAILED: 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE)
CertUtil: The group or resource is not in the correct state to perform the requested operation.


E:\CA stuff>certutil -renewcert
CertUtil: -renewCert command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.

E:\CA stuff>certutil -renewcert reusekeys
CertUtil: -renewCert command FAILED: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
CertUtil: Cannot find object or property.

Clearly any attempt to force install the new cert or request new ones all failing on me, even after shutting down the AD CS service. I initially tried these with the services started with the same errors.

Then following along with the registry query to verify file location: 

E:\CA stuff>sc query CertSvc

SERVICE_NAME: CertSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

E:\CA stuff>net start CertSvc
The Active Directory Certificate Services service is starting.
The Active Directory Certificate Services service was started successfully.


E:\CA stuff>sc query CertSvc

SERVICE_NAME: CertSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

E:\CA stuff>certutil -getreg CA\RequestFileName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Corp-Sub-CA\RequestFileName:

  RequestFileName REG_SZ = C:\HostName.domain.com_corp-CA%4.req
CertUtil: -getreg command completed successfully.

E:\CA stuff>dir c:\
 Volume in drive C has no label.
 Volume Serial Number is 9E1A-913D

 Directory of c:\

02/07/2018  04:32 PM             1,186 HostName.domain.com_corp-CA.req
02/07/2018  04:25 PM    <DIR>          inetpub
09/12/2016  03:53 AM    <DIR>          Logs
07/16/2016  05:18 AM    <DIR>          PerfLogs
03/29/2017  05:51 PM    <DIR>          Program Files
09/12/2016  03:56 AM    <DIR>          Program Files (x86)
11/02/2017  03:40 PM    <DIR>          Users
02/26/2018  02:21 PM    <DIR>          Windows
               1 File(s)          1,186 bytes
               7 Dir(s)  34,298,982,400 bytes free

E:\CA stuff>del C:\HostName.domain.com_corp-CA.req

So this is the same file that is created when you run teh AD CS config wizard to setup the Enterprise Subordinate CA. Nothing special, but I did notice it didn't contain any trailing number, I'd assume this is cause it is the original. Just for heck I decided to delete it to see if it would make a difference. What are the chances... it worked!?!?

E:\CA stuff>certutil -renewcert
CertUtil: -renewCert command FAILED: 0x800704c7 (WIN32: 1223 ERROR_CANCELLED)
CertUtil: The operation was canceled by the user.

E:\CA stuff>certutil -renewcert reusekeys
CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE)
CertUtil: The group or resource is not in the correct state to perform the requested operation.

E:\CA stuff>certutil -shutdown
CertUtil: -shutdown command completed successfully.

E:\CA stuff>certutil -renewcert reusekeys
CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE)
CertUtil: The group or resource is not in the correct state to perform the requested operation.

E:\CA stuff>certutil -renewcert -f reusekeys
CertUtil: -renewCert command FAILED: 0x800704c7 (WIN32: 1223 ERROR_CANCELLED)
CertUtil: The operation was canceled by the user.

The only reason you see ERROR_CANCELLED is cause you will get a lil pop up box requesting you to enter teh computer name of the online issuer, and a little tiny note inside that states to send this request to an offline CA (which we are doing) to click Cancel and take the req file (path and name shown as in the reg query command), and manually issue it. So I took my new req file, signed it by my offline root CA.

E:\CA stuff>CertUtil -installcert Corp-Sub-CA-Resigned.p7b
CertUtil: -installCert command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

E:\CA stuff>net stop CertSvc
The Active Directory Certificate Services service is not started.

More help is available by typing NET HELPMSG 3521.


E:\CA stuff>net start CertSvc
The Active Directory Certificate Services service is starting.
The Active Directory Certificate Services service was started successfully.

I hope this info helps others that come across this error. I might alter the question to more directly reflect the problem.

_{Wednesday, February 28, 2018 7:02 AM}

Hi ,

Thank you very much for the detail steps, it will be very helpful for other users.

Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]

_{Wednesday, February 28, 2018 6:42 PM}

Sorry I didn't see this in time - generally reusing the same request file is unsupported. But this is a nice work around as deleting the request file causes ADCS to be able to create a new request file.

Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

_{Thursday, March 1, 2018 8:43 PM}

Thanks guys!

I also noticed that "certUtil -Shutdown" is literally just "net stop CertSvc".

However there is no CertUtil Equivalently for "net start CertSvc".

_{Wednesday, April 1, 2020 5:13 PM}

Old thread, but if the error is stuck at 'WIN32: 5023 ERROR_INVALID_STATE' you can fix by setting the following registry key back to the default of 1:

system\currentcontrolset\services\certsvc\configuration\CA}\SetupStatus

This will allow the GUI or command line renewal to work as normal again.