Windows Server 2008 Certificate Services (ADCS) does not start, and error code 0x80070057 is generated when ADCS is reinstalled by using the "use existing keys" option in Windows Server 2008

Article ID: 966329 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You reinstall the Active Directory Certificate Services (ADCS) role.
  • During the reinstallation process, the use existing keys option is selected.
In this scenario, the ADCS installation process is completed. However, Active Directory Certificate Services does not start, and the following Error event is logged:

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Event ID: 100
Task Category: None
Level: Error
Keywords: Classic
Description:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. <Key_Name> The parameter is incorrect. 0x80070057 (WIN32: 87).

Note <Key_Name> is the key container name that must be reused for the new certification authority (CA).

Additionally, notice that the following CA certificate signature was used in the first installation:
Signature Algorithm:
Algorithm ObjectId: <Object_ID>
Algorithm Parameters:...
Note <Object_ID> is the object identifier of the algorithm that was used for the original certificate for the sha1RSA element.

However, in this scenario, this signature has been changed to the following:
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
This algorithm implies an error.
Back to the top | Give Feedback

CAUSE

This problem occurs because of an error in the CA setup code that incorrectly tries to enforce the CA certificate creation process by using the RSA/SHA1 algorithm.
Back to the top | Give Feedback

RESOLUTION

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
(http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.

Prerequisites

To apply this hotfix, you must have Windows Server 2008 installed.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista and Windows Server 2008 file information notes

The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.
For all supported x86-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Microsoft.windows.servermanager-ppdlic.xrm-msNot Applicable3,31911-Feb-200904:59Not Applicable
Microsoft.windows.servermanager.dll6.0.6001.223747,639,04011-Feb-200905:34x86
Certocm.dll6.0.6001.22374488,96011-Feb-200905:30x86
Certcli.dll6.0.6001.22374323,07211-Feb-200905:30x86
For all supported x64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Certocm.dll6.0.6001.22374653,82411-Feb-200905:59x64
Certcli.dll6.0.6001.22374444,41611-Feb-200905:59x64
Microsoft.windows.servermanager-ppdlic.xrm-msNot Applicable3,31911-Feb-200905:29Not Applicable
Microsoft.windows.servermanager.dll6.0.6001.223747,639,04011-Feb-200906:02x86
For all supported IA-64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Certcli.dll6.0.6001.22374861,69611-Feb-200904:46IA-64
Microsoft.windows.servermanager-ppdlic.xrm-msNot Applicable3,31911-Feb-200904:15Not Applicable
Microsoft.windows.servermanager.dll6.0.6001.223747,639,04011-Feb-200904:48x86
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

MORE INFORMATION

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
960809
(http://support.microsoft.com/kb/960809/ )
The Windows Server 2008 Online Certificate Status Protocol (OCSP) responder does not work with signing certificates that do not use the SHA1 algorithm
The Secure Hash Algorithm (SHA) hash functions are a set of cryptographic hash functions that are designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. The SHA-2 family uses the same algorithm but with a variable key size. These key sizes are distinguished as SHA-224, SHA-256, SHA-384, and SHA-512.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684
(http://support.microsoft.com/kb/824684/ )
Description of the standard terminology that is used to describe Microsoft software updates

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Msil_microsoft.windows.servermanager_31bf3856ad364e35_6.0.6001.22374_none_692874336a9ef2f6.manifestNot Applicable5,83611-Feb-200905:48Not Applicable
Package_for_kb966329_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42211-Feb-200914:12Not Applicable
Package_for_kb966329_sc~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42311-Feb-200914:12Not Applicable
Package_for_kb966329_server_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable2,37811-Feb-200914:12Not Applicable
Package_for_kb966329_server~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,43111-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42211-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,43011-Feb-200914:12Not Applicable
X86_microsoft-windows-c..ervices-certocm-dll_31bf3856ad364e35_6.0.6001.22374_none_0a67809021fecb85.manifestNot Applicable59,04111-Feb-200905:53Not Applicable
X86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22374_none_d7bfa7c755fa4b31.manifestNot Applicable62,02811-Feb-200905:50Not Applicable
Additional files for all supported IA-64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Ia64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22374_none_d7c14bbd55f8542d.manifestNot Applicable61,70011-Feb-200905:03Not Applicable
Msil_microsoft.windows.servermanager_31bf3856ad364e35_6.0.6001.22374_none_692874336a9ef2f6.manifestNot Applicable5,83911-Feb-200905:01Not Applicable
Package_for_kb966329_sc_0~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,42511-Feb-200914:12Not Applicable
Package_for_kb966329_sc~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,42711-Feb-200914:12Not Applicable
Package_for_kb966329_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,90811-Feb-200914:12Not Applicable
Package_for_kb966329_server~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,43511-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,42611-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,43311-Feb-200914:12Not Applicable
Additional files for all supported x64-based versions of Windows Server 2008
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Amd64_microsoft-windows-c..ervices-certocm-dll_31bf3856ad364e35_6.0.6001.22374_none_66861c13da5c3cbb.manifestNot Applicable59,08311-Feb-200906:21Not Applicable
Amd64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22374_none_33de434b0e57bc67.manifestNot Applicable61,71511-Feb-200906:18Not Applicable
Msil_microsoft.windows.servermanager_31bf3856ad364e35_6.0.6001.22374_none_692874336a9ef2f6.manifestNot Applicable5,84211-Feb-200906:15Not Applicable
Package_for_kb966329_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43011-Feb-200914:12Not Applicable
Package_for_kb966329_sc~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43111-Feb-200914:12Not Applicable
Package_for_kb966329_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable2,39411-Feb-200914:12Not Applicable
Package_for_kb966329_server~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43911-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43011-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43811-Feb-200914:12Not Applicable
Back to the top | Give Feedback

Properties

Article ID: 966329 - Last Review: October 7, 2011 - Revision: 2.0
APPLIES TO
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
Keywords: 
kbsurveynew kbautohotfix kbexpertiseadvanced kbfix kbqfe KB966329
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top