On Server 2016 while building the PKI, even though with all the CA’s built/configured, OSCP deployed successfully, still the command to restart the services via scripts cannot be issued.
After running through the scripts to configure the CA using various certutil commands the script gets to
net stop certsvc && net start certsvc
What the screen displays:
The Active Directory Certificate Services service is stopping. The Active Directory Certificate Services service was stopped successfully.
The Active Directory Certificate Services service is starting. The Active Directory Certificate Services service was started successfully.
When trying to restart the services, it reports:
WIN32: 1749 RPC_S_DUPLICATE_ENDPOINT
Active Directory Certificate Services did not start, could not initialize RPC for Issuing CA, and showed the endpoint as duplicates.
As the setup times out and the installation fails, it reports either RPC is unavailable or that the endpoint text is duplicate. This behavior is consistent across all CAs on the server and prevents from installing NDES.
The duplicate endpoint error message is caused by the SafeNet KSP library’s failure to release the service before it is restarted. It was an issue with Luna Version 10.3.0, where the service restart was too fast, and it locked the KSP.
Since it is an issue with the Luna Client version, so upgrading the client version will solve the issue. In this case, 10.3.0 was there, and upgrading to 10.5.0 solved the issue.
If you need help with your PKI environment, feel free to email us at [email protected].
Datasheet of Public Key Infrastructure
We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.