CA restore fails from time to time

Customers reported that their CA restore failed. The symptom is:

When migrating the issuing CA using keys which protected by the nCiphers Security World Module Key it works using the existing certificate after first importing the certificate and assignment of private key using certutil -repair.

 If private key requires interaction with the desktop, then associated certificate won't appear in the certificates list.

 

Resolution:

It seems to be a known issue.

There is a workaround:

1) Verify that the certificate is truly functional by running certutil -verifystore my

2) Check in the output that the key is protected by the nCipher Enhanced CSP and passes all tests

3) When you run the wizard, state that you want to use an existing private key (yes this creates a new certificate)

4) After restore, either restore the previous registry from the other CA, or modify the following registry key to use the original certificate's thumbprint:

hklmsystemcurrentcontrolsetservicescertsvcConfigurationCANameCACertHash