Restoring Certificate Authority server fails with bad key problem

After you back up a CA private key and database, if restore task fails with bad key error (0x80090003), then you might need to import the root CA key when you install the CA server by checking  "Use custom settings to generate the key pair and CA certifcate", then "Use an existing key" which allows to browse a key file to import.


1. When you restore CA database, it expects the same CA storage path. By default, CA creates the database and log files under c:\WINDOWS\system32\certlog. When you restore to another machine, it should have the same path.

2. Enabling debug logging

- certutil -setreg ca\debug 0xffffffe3

Log files are in  %systemroot%\cert*.log




Skip to main content