Scenario

Renewed the “Certificate Authority” in lab and for some reasons you have to revert the changes.

So, that certificate authority continues to issue certificates, sign CRLs based on its old key pair.

This might be helpful,in case you do not want to import the previously backed up config, because its corrupt OR you do not have a valid backup

Steps

I have renewed the certificate authority as per https://technet.microsoft.com/en-us/library/cc962077.aspx

As you may know, every time when you renew the certificate authority, a new certificate is created and added to the local machine store OR HSM device and a mapping is created so that your CA knows which key pair to use when it issues a new cert or signs a CRL.            

You can verify this by going to “Properties” of your CA and in the “General” tab. Here is a pic from my CA.





Sample CA has been using the key pair associated with “Certificate #2” for signing the new requests and CRLs before, hence after renewal, it would use “Certificate #3” for signing.

  1. Certificate Authority saves this config under
    1.  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\MyCA under “CACertHash”
    2.  


These are the CA Certificate’s thumbprint which is seen in screenshot #1.

So, removing the last Thumbprint from the above key and restarting the services, would make the Certificate Authority to go one level back and use the previous key pair. 

Note: You might want to back up your registry before making any changes, as per this article here https://support.microsoft.com/en-in/kb/322756 so that you can restore this anytime in case of any unexpected issues.