Certificate Server Service does not start and you receive the error: The Data is invalid. 0xd (Win32:13) on a Windows 2003 based certificate authority

Source: Microsoft Support

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista

�

�

Certificate Server Service does not start and you receive the error:

The Data is invalid. 0xd (Win32:13)

�

Additionally you see the following event in the Application Log of the Certificate Server:

�

Event Type:������� Error

Event Source:��� CertSvc

Event Category:��������������� None

Event ID:������������� 100

Date:�������������������� 1/9/2009

Time:�������������������� 10:04:59 PM

User:�������������������� N/A

Computer:��������� CLUSTER1

Description:

Certificate Services did not start: Could not load or verify the current CA certificate.� "CA NAME" The data is invalid. 0x8007000d (WIN32: 13).

�

For more information, see Help and Support Center at http://www.microsoft.com/technet/support/ee/ee_basic.aspx.

The issue occurs if the Thumprint of the Latest Renewed CA Cert is missing or is not in the correct order in the following registry key.

�

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\"Name of your Certificate Authority"\CACertHash

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

�

To resolve this issue manually edit the registry key:

�

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\"Name of your Certificate Authority"\CACertHash

�

To have the thumbprint of the last renewed CA cert to be present at the bottom of the list, change the order in which the CA certificate thumbprints are listed in the registry. �The order the thumbprints are listed should be the same in which the CA certificates were renewed.

If �you do not have the thumbprint of the CA Certificates being �used by the CA, then you can have the last renewed CA Certificate thumbprint at the bottom and add - in place of the old CA Certificates.

�

Example: If you have renewed the CA certificate 3 times, then you can set the value as

�

-

-

cb 5a c7 3d 4f f6 b0 3f de 65 ee 8a be 56 fe e5 b5 e3 8e d6� (This being the latest CA Certificate)

�

You can check the thumbprint of the CA certificates from the local computer personal store.

This method can also be used to remove the old certificate information from the Certificate Authority and keep the latest renewed certificate.

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE �MATERIALS�) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.