Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Enterprise CA Root died

Posted on 2009-05-13
Medium Priority
Last Modified: 2013-01-22
We have an small internal Domain with our root Enterprise Server. A month ago the Enterprise CA died without a backup. I have another Enterprise Subordinate CA that was associated with the root CA. To add to the problem, the Subordinate CA service is refusing to start and giving out the following error: "The revocation function was unable to check revocation because the revocation server was offline. 0x80090213 (-2146885613)." Obviously due to the Root CA not being online.

I have prepared a new server with the same name as the root CA.

What options do I have so I can get the Certifactes up and running and in the same time trusting all the certificates that were previously distributed?
Question by:amersharaf
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 26

Accepted Solution

Pber earned 1000 total points
ID: 24374871

You can try PKIview from the reskit and see if you can see where the CRL is pointing, but you may be out of luck.
It is of upmost importance that you have a backup of your Root CA.  Without going to backups you will not be able to recover just by using the same name as the old root CA.  Depending what you are doing with the certicates, they should be still valid until they expire as long as your computers have your CA as a trusted root.  This may give you time to rebuild your CA infrastructure.
Normally the design of choice is an offline Standard root CA that never, ever touches the network.  The reason for this is if your subordinate CA or a certificate ever becomes compromized, you can always revoke the certificates to make them invalid (required exporting and importing the CRL).  You can't do this if it happened to the actual Root CA.
 If at some time you did perform CA Backup, you may be able to do this.  Good to know for the future: 
This is a good backup document:
 This is also a bit of a read, but it goes into CA best practice and the offline root CA thing: 
LVL 31

Assisted Solution

Paranormastic earned 1000 total points
ID: 24376108
how badly did the old CA fail?  are you able to boot to it and it has errors, or is the hard drive failed with no backup?

Just having a similarily named CA is not enough - you would need to have the root CA's private key and CA database in order to recover.  Since it sounds like you do not have this, then you can name the new root the same or whatever you would like.  The existing subordinate is going to have its CA certificate re-signed as well, which will mess with all of the certs that it has issued.

Since you are going through this anyways, I generally recommend using virtual machines and storing at least the root image on a removable hard drive for when it is powered down and easily locked up.  Backups of the image are easily done and will be hardware independent for future recoveries.  Can save an extra snapshot of the subordinate onto it as well, although obviously the sub would run from a different hard drive for production.  You can use the VM internal netwrok as long as you keep it unroutable to transfer the CRLs via script from the root to the sub CA.

Since the existing root CRL is already expired, you will need to decommission your existing PKI from AD.  If you had the luxury of planning a decommission you could issue an extended CRL, but this can't be done.  If you had access to the old root's private key you could re-sign the old CRL to extend the validity period.

Yes - this means you will need to re-issue all of the certificates.  You should export the CA database to .csv file (export from the Issued Certs folder in the CA MMC) - note that if it appears to time out that you may have an incomplete list - you may need to do this multiple times by filtering by certificate issuance date is < and > selected dates until you have the entire thing - the first export should give you a rough idea how long of a timeframe.  If you have less than a couple thousand certs issued (keeping in mind autoenrolled workstation certs, if users have multiple certs each, etc.) then you may get lucky and get it all the first shot.  This way you can make sure that everything is covered afterwards and prioritize (e.g. web server certs first).

How to decom a CA server properly from AD:

Let me know if there is anything you are unclear about.

After you install the new CA - go into the CA MMC and use the Backup CA option to backup the CA database and private key and lock these up somewhere - if you had this before you would be in a much nicer place right now with as much time as you needed to recover.
LVL 31

Expert Comment

ID: 24376484
Also, when you do the new root CA - keep the root offline - don't join to the network or domain, its okay to install as a stand-alone CA (enterprise CA requires being on domain) - you can still have your sub CA online, connected to domain, and set up as enterprise.
LVL 31

Expert Comment

ID: 24952680
Although tough to see next to the bold text, pber's "Without going to backups you will not be able to recover just by using the same name as the old root CA." is the main answer - that part probably should have been bolded or stated upfront, but regardless it was present.  He popped that out first, so he should get the Accept credit.

pber had some decent planning articles to point to, I talked more about the need to decom the old and the impact of the results, as well as some planning considerations along with a hopeful question about why the old CA died out so that maybe that could have been recovered although not expecting much to that end.  For that, I would aim for an assist.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question