Recovery Operation for Certificate Server May Invalidate Certificate Authority Keys

ID: Q235964

The information in this article applies to:

Microsoft Windows NT Server version 4.0 SP4
Microsoft Windows NT Workstation version 4.0 SP4
Microsoft Windows NT Server, Enterprise Edition version 4.0 SP4
Microsoft Certificate Server version 1.0
Microsoft Internet Information Server version 4.0

SYMPTOMS

If you back up certificate files from an existing certificate server and restore them to a second certificate server, when you reinstall the second certificate server you may find that the key at the end of the Use Existing Keys list in the Setup window is invalid. In addition, the key that corresponds to your Certificate Authority name may be invalid.

CAUSE

This behavior occurs because the SYSOCMGR command used to reinstall Certificate Server adds an invalid key to the registry.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

MORE INFORMATION

For more information about Certificate Server, refer to the following Release Notes included with Microsoft Windows NT 4.0 Option Pack:

Microsoft Certificate Server Version 1.0 Release Notes

Internet Information Server Version 4.0 Release Notes

To ensure successful installation, the new certificate server must be based on the code obtained from the Certificate Server QFE. The Certificate Server QFE is available at the following FTP site:

ftp. microsoft.com\bussys\iis-public\fixes\usa\certserv

For additional information about how to restore a certificate server and the tools involved, please see the following articles in the Microsoft Knowledge Base:

Q184695 Readme Notes for Certificate Server Update

Q185195 How to Use Key and Certificate Backup/Restore Utility

Additional query words: security garbage


Keywords          : kbinterop kbtool kbbug4.00 kbfix4.00 
Version           : winnt:1.0,4.0,4.0 SP4
Platform          : winnt 
Issue type        : kbprb

Last Reviewed: July 21, 1999