Assume the following scenario:
- A certification authority is installed.
- The installation is successful, but the Certificate Authority service does not start after the installation.
- When trying to start the Certificate Authority service from the Certificate Authority Management Console, you receive the following error message:
The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND) The policy module for a CA is missing or incorrectly registered. To view or change policy module settings, right-click on the CA, click Properties, and then click the Policy Module tab.
A corresponding Event with no. 100 can also be found in the event display of the certification authority:
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. ADCS Labor Root CA The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND).
Possible causes
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The error message in the Certificate Authority Management Console is confusing because it talks about a faulty policy module, but it is not the cause of the problem.
CACertHash Registry value empty
The error will occur if the "CACertHash" value in the certificate authority registry is empty.
This is located in the following path:
HKLM\System\CurrentControlSet\Services\CertSvc\Configuration\{Common-name-of-certification authority}
See also article "The certification authority service does not start and throws the error message "The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)"." for more information.
CACertHash Registry value refers to non-existent certificate
The error will occur if the CACertHash registry value is referenced to a certificate authority certificate that does not exist on the server, for example because it was issued after the Restore from backup or Migration to another server has not yet been restored.
See also:
- Restoration of a Certification Authority Certificate with Hardware Security Module (HSM)
- Restoration of a certification authority certificate with software key
No authorization in the Key Storage Provider (KSP) of the hardware security module
In this case, a SafeNet hardware security module was used.
During the installation of the certificate authority, only the installing user's account was authorized to the Hardware Security Module (HSM) partition in the SafeNet Key Storage Provider Config Wizard.
The installation of the certificate authority was successful, but afterwards the service did not start.
The certificate authority service is run with the identity "NT Authority\SYSTEM". This account must also be authorized to the partition of the HSM that is used.
5 thoughts on “Der Zertifizierungsstellen-Dienst startet nicht und wirft die Fehlermeldung „The system cannot find the file specified. 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)“”
Comments are closed.