Fix XENROLL_E_RESPONSE_KA_HASH_NOT_FOUND (0X80095002)
This error means the CA didn't include the key archival hash in its response. Fix it by checking the certificate template's key archival settings.
Quick answer: The CA's response didn't include the key archival hash because the certificate template doesn't have the "Archive subject's encryption key" option enabled, or the Key Recovery Agent certificate is missing or expired. Enable it in the template and install a valid KRA cert.
What's going on here
This error shows up when you're trying to enroll a certificate that requests key archival (usually for EFS or document encryption), but the Certificate Authority doesn't send back the archive hash. The hash is part of the PKCS7 response that proves the CA has stored a copy of the private key. Without it, Windows client code — like the certreq tool or the MMC snap-in — throws 0X80095002 and fails the enrollment.
You'll see this most often on a Windows Server 2016 or 2019 CA, enrolling a certificate for a user who needs to encrypt files with EFS. The user clicks "Enroll" in the certificate manager, and boom — error. Or you'll get it in a script that calls certreq -submit.
The real trigger: the CA can't generate the archive hash because the template doesn't tell it to archive the key, or the CA lacks a valid Key Recovery Agent certificate to do the archiving. No hash = no certificate.
Step-by-step fix
- Open the Certificate Templates console. On your CA server, open Server Manager, click Tools, then Certificate Authority. In the left pane, right-click your CA, choose Properties, then the Security tab? No — we need the Templates snap-in. Run
certtmpl.mscfrom an admin command prompt. - Find the problem template. In the list, right-click the certificate template that's failing (like EFS Recovery Agent or Basic EFS) and choose Properties.
- Check the key archival setting. Go to the Request Handling tab. Look for the checkbox "Archive subject's encryption key". This must be checked. After you check it, you should see the label "Key archival: Encrypted private key archived" appear. Click Apply — wait two seconds for the GUI to update.
- Check the KRA certificate. Back in the Certificate Authority console, right-click the CA name, choose Properties, then the Recovery Agents tab. You need at least one valid Key Recovery Agent certificate listed here, not expired, not revoked. If the list is empty, you need to enroll a KRA certificate first. To do that, open the Certificates MMC for the local computer, request a new certificate based on the "Key Recovery Agent" template, then come back here and click Add. After adding it, you'll see a message: "The KRA certificate will be used for all future key archival requests."
- Reissue the template. In the Certificate Templates console, right-click the template, choose Reissue. This forces the CA to use the latest template version. Wait one minute for AD replication if you have multiple DCs.
- Retry the enrollment. On the client machine, delete the pending certificate request (if any) from the Certificates MMC, then request a new certificate. It should work now — you'll see the certificate appear with a key icon showing it's archived.
If the main fix doesn't work
Try these in order:
- Restart the CA service. In an admin command prompt on the CA:
net stop certsvc && net start certsvc. After the service restarts, you'll see event 4886 or 4887 in the System log confirming it's ready. Retry enrollment. - Check the template permissions. The user or computer requesting the certificate needs Read and Enroll permissions on the template. Open certtmpl.msc, right-click the template, Properties, Security tab. Add the user or group and check Enroll. Hit OK, wait 30 seconds, try again.
- Use certreq with verbose logging. Run
certreq -submit -config "CA-SERVER\CA-Name" -attrib "CertificateTemplate:TemplateName" request.req. Check the output for a line like "0x80095002 (XENROLL_E_RESPONSE_KA_HASH_NOT_FOUND)". If you see that, the template still isn't archiving. Double-check step 3.
How to prevent this from happening
Before you roll out any certificate template that needs key archival, do two things. First, make sure a valid Key Recovery Agent certificate is installed on the CA. Second, on the template's Request Handling tab, check the "Archive subject's encryption key" box before you issue any certificates. If you forget and issue one, you'll get this error. Templates are sticky — once a certificate is issued with the wrong settings, you have to reissue the template and delete old certs. Save yourself the headache and set it up right the first time.
Was this solution helpful?