Certificate request fails with error message "Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)".

Assume the following scenario:

  • A user requests a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate template is set up for archiving private keys.
  • The certificate request fails with the following error message:
Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The cause is that the certification authority has not configured a suitable Key Recovery Agent (KRA) certificate. If the certification authority is configured with KRA certificates, the cause must be sought in these.

The event display of the certification authority (Event no. 84) provides further information about the causes. In this case, the revocation status of the KRA certificates could not be checked, so that they could not be used by the certification authority.

Active Directory Certificate Services will not use key recovery certificate 0 because it could not be verified for use as a Key Recovery Agent. CN=Administrator, CN=Users, DC=intra, DC=adcslabor, DC=en The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

The certification authority will accordingly refuse to archive private keys (Event No. 98).

Active Directory Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted.

For security reasons, certificate requests that require archiving private keys are denied to prevent data loss from occurring (Event no. 22).

Active Directory Certificate Services could not process request 20 due to an error: Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA). The request was for INTRA\rudi. Additional information: Error Archiving Private Key

4 thoughts on “Die Beantragung eines Zertifikats schlägt fehl mit Fehlermeldung „Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)“”

Comments are closed.

en_USEnglish