Fix CERTSRV_E_SERVER_SUSPENDED (0x80094006) in 2 Steps

Quick Answer

Run certutil -restore with a dummy path to finish the stuck restore, then restart the service. If that fails, delete the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\RestoreInProgress and restart.

What This Error Means

You're staring at Event ID 11 or a direct 0x80094006 error, and your Certificate Authority won't issue a single cert. Happened to a client last month after their backup admin tried a database restore halfway and then walked away. The CA service goes into suspended mode to protect data integrity during a restore—it won't accept any requests until the restore completes cleanly. Problem is, if the restore gets interrupted or never finishes, the service stays in limbo forever.

This isn't a hardware failure or a cert misconfiguration. It's a state flag that's stuck. The CA is basically sitting there with its hands up saying "I'm in the middle of a restore, don't talk to me." You need to either finish that restore properly or force-clear the flag.

Fix Steps

Step 1: Try to Complete the Restore

Open Command Prompt as Administrator and run:

certutil -restore C:\Temp\dummy

This tells the CA "here's the path for the restore files." It doesn't matter if the folder is empty or doesn't exist. The service expects you to point it to a restore location. Once you do, it finishes the restore cycle and unsuspends itself. I've seen this work on Server 2012 R2 through 2022. If the CA was mid-restore when someone killed the process (or the server rebooted), this completes the transaction cleanly.

After the command finishes, restart the service:

net stop certsvc && net start certsvc

Then check status with certutil -ping. If you see "CertUtil: -ping command completed successfully," you're done.

Step 2: If Step 1 Fails — Registry Edit

If certutil -restore returns an error like "The restore operation is not active" or just hangs, the restore flag is orphaned. You need to kill it directly.

1. Open Regedit as Administrator
2. Navigate to:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
3. Look for a DWORD or REG_SZ value named RestoreInProgress. Delete it.
4. If you don't see it, check each subkey under Configuration—sometimes it's buried under a GUID-named key. Search for "restore" in Regedit.
5. Restart the service: net stop certsvc && net start certsvc

I had a client on Server 2019 where the reg key was there but hidden—had to use reg query to find it. The command was:

reg query "HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration" /v RestoreInProgress /s

If that returns a path, delete it with:

reg delete "" /v RestoreInProgress /f

Alternative Fixes If the Main One Fails

Check for Pending Database Transactions

Sometimes the ESENT database engine itself has a checkpoint file that thinks a restore is active. Stop the CA service, go to C:\Windows\System32\CertLog, and delete any files ending in .chk, .log, or .jrs (but NOT the .edb database file). Restart the service. This forces ESENT to replay or ignore the orphaned transaction. Worked on a 2022 server after a power failure during maintenance.

Reinstall the CA Role

Honestly, if the above steps don't work, the cleanest path is to back up your CA database (using certutil -backup), uninstall the Active Directory Certificate Services role, reboot, install it again, and restore the database. Takes 30 minutes but it's bulletproof. The suspended state can get corrupted if someone's been monkeying with the registry or the database files directly.

Prevention Tip

Never kill a CA restore mid-process. If you need to cancel a restore, run certutil -restore with a valid backup path and then immediately run certutil -restore again with the same path but add -f to force overwrite—that makes the service exit restore mode gracefully. Also, always take a full backup of the CA database (certutil -backup) before attempting any restore operation. That way if the restore bombs, you can just restore the backup again and start fresh.