Windows Server 2008 Certificate Services (ADCS) does not start, and error code 0x80070057 is generated when ADCS is reinstalled by using the "use existing keys" option in Windows Server 2008

Applies to: Windows Server 2008 DatacenterWindows Server 2008 EnterpriseWindows Server 2008 Standard


Consider the following scenario:
  • You reinstall the Active Directory Certificate Services (ADCS) role.
  • During the reinstallation process, the use existing keys option is selected.
In this scenario, the ADCS installation process is completed. However, Active Directory Certificate Services does not start, and the following Error event is logged:Note <Key_Name> is the key container name that must be reused for the new certification authority (CA).

Additionally, notice that the following CA certificate signature was used in the first installation:
Signature Algorithm:
Algorithm ObjectId: <Object_ID>Algorithm Parameters:...
Note <Object_ID> is the object identifier of the algorithm that was used for the original certificate for the sha1RSA element.

However, in this scenario, this signature has been changed to the following:
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
This algorithm implies an error.


This problem occurs because of an error in the CA setup code that incorrectly tries to enforce the CA certificate creation process by using the RSA/SHA1 algorithm.


Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.


To apply this hotfix, you must have Windows Server 2008 installed.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista and Windows Server 2008 file information notes

The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.
For all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform Applicable3,31911-Feb-200904:59Not Applicable,639,04011-Feb-200905:34x86
For all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Certcli.dll6.0.6001.22374444,41611-Feb-200905:59x64 Applicable3,31911-Feb-200905:29Not Applicable,639,04011-Feb-200906:02x86
For all supported IA-64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Certcli.dll6.0.6001.22374861,69611-Feb-200904:46IA-64 Applicable3,31911-Feb-200904:15Not Applicable,639,04011-Feb-200904:48x86


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
960809 The Windows Server 2008 Online Certificate Status Protocol (OCSP) responder does not work with signing certificates that do not use the SHA1 algorithm

The Secure Hash Algorithm (SHA) hash functions are a set of cryptographic hash functions that are designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. The three SHA algorithms are structured differently and are distinguished as SHA-0, SHA-1, and SHA-2. The SHA-2 family uses the same algorithm but with a variable key size. These key sizes are distinguished as SHA-224, SHA-256, SHA-384, and SHA-512.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform Applicable5,83611-Feb-200905:48Not Applicable
Package_for_kb966329_sc_0~31bf3856ad364e35~x86~~ Applicable1,42211-Feb-200914:12Not Applicable
Package_for_kb966329_sc~31bf3856ad364e35~x86~~ Applicable1,42311-Feb-200914:12Not Applicable
Package_for_kb966329_server_0~31bf3856ad364e35~x86~~ Applicable2,37811-Feb-200914:12Not Applicable
Package_for_kb966329_server~31bf3856ad364e35~x86~~ Applicable1,43111-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv_0~31bf3856ad364e35~x86~~ Applicable1,42211-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv~31bf3856ad364e35~x86~~ Applicable1,43011-Feb-200914:12Not Applicable
X86_microsoft-windows-c..ervices-certocm-dll_31bf3856ad364e35_6.0.6001.22374_none_0a67809021fecb85.manifestNot Applicable59,04111-Feb-200905:53Not Applicable
X86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22374_none_d7bfa7c755fa4b31.manifestNot Applicable62,02811-Feb-200905:50Not Applicable
Additional files for all supported IA-64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Ia64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22374_none_d7c14bbd55f8542d.manifestNot Applicable61,70011-Feb-200905:03Not Applicable Applicable5,83911-Feb-200905:01Not Applicable
Package_for_kb966329_sc_0~31bf3856ad364e35~ia64~~ Applicable1,42511-Feb-200914:12Not Applicable
Package_for_kb966329_sc~31bf3856ad364e35~ia64~~ Applicable1,42711-Feb-200914:12Not Applicable
Package_for_kb966329_server_0~31bf3856ad364e35~ia64~~ Applicable1,90811-Feb-200914:12Not Applicable
Package_for_kb966329_server~31bf3856ad364e35~ia64~~ Applicable1,43511-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv_0~31bf3856ad364e35~ia64~~ Applicable1,42611-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv~31bf3856ad364e35~ia64~~ Applicable1,43311-Feb-200914:12Not Applicable
Additional files for all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Amd64_microsoft-windows-c..ervices-certocm-dll_31bf3856ad364e35_6.0.6001.22374_none_66861c13da5c3cbb.manifestNot Applicable59,08311-Feb-200906:21Not Applicable
Amd64_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.22374_none_33de434b0e57bc67.manifestNot Applicable61,71511-Feb-200906:18Not Applicable Applicable5,84211-Feb-200906:15Not Applicable
Package_for_kb966329_sc_0~31bf3856ad364e35~amd64~~ Applicable1,43011-Feb-200914:12Not Applicable
Package_for_kb966329_sc~31bf3856ad364e35~amd64~~ Applicable1,43111-Feb-200914:12Not Applicable
Package_for_kb966329_server_0~31bf3856ad364e35~amd64~~ Applicable2,39411-Feb-200914:12Not Applicable
Package_for_kb966329_server~31bf3856ad364e35~amd64~~ Applicable1,43911-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv_0~31bf3856ad364e35~amd64~~ Applicable1,43011-Feb-200914:12Not Applicable
Package_for_kb966329_winpesrv~31bf3856ad364e35~amd64~~ Applicable1,43811-Feb-200914:12Not Applicable