We are experts on the entire Microsoft enterprise product stack. These are Microsoft technologies we regularly deploy. We provide real business value through strategic guidance, technical expertise, and knowledge transfer.

As an IT systems integrator, our expertise is putting all the pieces together to get the job done, so we never have to take “no” for an answer. We help organizations improve business productivity in any department.

We provide solutions customized to the needs of your industry. Whatever your industry or product, we can provide project, service, process, and content management solutions—to increase productivity and IT value.

+1 (866) 930-8356
Real Microsoft expertise. Real business value.

Invalid algorithm specified when renewing subordinate CA with same key

I was working on a certificate services environment where I wanted to renew the certificate of an existing subordinate certificate authority.  I went about using the typical procedure for renewing the certificate, found here:



I ran into a really strange issue, where when attempting to renew the certificate with the same key I received no results.  I was navigating in the certificate authority interface, selected “Renew CA Certificate”, selected to use the existing key pair, and was expecting to be able to choose to save the request to the local disk.  Instead it simply restarted the certificate services.


I then opened a command prompt as an administrator and ran “certutil -renewCert ReuseKeys”.  This provided the output of “invalid algorithm specified”.  I attempted to correct the issue by changing cryptographic providers on the server, disabling UAC, and using different users.  I tested a similar process on another server and it worked fine.


I finally had to generate a certificate using a new key.  I believe that there was something wrong with the original certificate’s cryptographic provider that was preventing the original key from being used.  In this case the new key was requested and fulfilled without error.  Although I had to use a new key, it ultimately allowed me to move on.


To renew a certificate with a new key, either use “certutil -renewCert”, or in the certificate authority interface select “Renew CA Certificate” and select to use new keys.  The certificate authority will now issue certificates with the renewed / new certificate, vs. the old certificate.  The old certificate however will continue to be valid until the expiration date, unless it is expired and published in the CRL.


Happy certifying!


Nathan Lasnoski


Nathan Lasnoski is the Director of Concurrency’s Infrastructure Practice, a Datacenter MVP and a recognized leader in Core Infrastructure Design, SharePoint Infrastructure, Virtualization, and Unified Communications technologies.

Find Nathan on: Linkedin Twitter

  • Alex

    I solved this issue by restoring the CA certificate and private key (without DB) from old backup.

  • Alex

    I solved this issue by restoring the CA certificate and private key (without DB) from old backup.