Not able to request certificate with private key archival enabled.

Hi all,

Recently, I got a chance to work on one of the case where we couldn’t request the certificate using a template which is configured to archive private keys and getting the following error message “Cannot archive private key. The certification authority is not configured for key archival. Error archiving Private Key. Cannot archive private key. The certification authority is not configured for key archival. 0x8009400a (-2146877430) on Windows Vista:

Picture 1: Vista OS, Error message while requesting certificate.

Picture 2: Windows 2003, Error message while requesting certificate.

In order to be able to request certificate based on a template which allows Private Key to be archived, you have to ensure that your CA is configure for Key Archival.

Picture 4: Certificate Template with Private Key archival enabled.

You should check the CA is configured for Key archival and has a valid certificate. In my case, key archival was enabled but still we were facing the issue.

Picture 5: The CA asks your restart the CA service after enabling Recovery agent.

When you enable KRA, it asks you to restart the CA service and if you don’t do so the KRA certificate will not be loaded and status column for the certificate would say “NOT LOADED”

Picture 6: The KRA certificate status showing Not loaded.

The solution was to restart the CA service and after that KRA certificate status changed to Valid. Once we restarted the CA service we could request the certificate.

Picture 7: After Restarting the CA service the KRA certificate status showing Valid.