?
Solved

Certificate Authority Has Too Many Root Certificates

Posted on 2009-07-03
6
Medium Priority
?
1,309 Views
Last Modified: 2012-05-07
This problem started because our enterprise root ca certificate expired. We tried to renew the certificate and now there are three root certificates in the CA. The results of the certutil -cainfo are below. The problem is that because of this we cannot renew or issue any certificates. Please help!

Exit module count: 1
CA name: moorpark
Sanitized CA short name (DS name): moorpark
CA type: 0 -- Enterprise Root CA
    ENUM_ENTERPRISE_ROOTCA -- 0
CA cert count: 3
KRA cert count: 0
KRA cert used count: 0
CA cert[0]: 4 -- Expired
CA cert[1]: 3 -- Valid
CA cert[2]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert version[1]: 1 -- V1.0
CA cert version[2]: 0x20002 (131074) -- V2.2
CA cert verify status[0]: 0x800b0101 (-2146762495)
CA cert verify status[1]: 0
CA cert verify status[2]: 0
CRL[0]: 3 -- Valid
CRL[1]: 1 -- Error: No CRL for this Cert
CRL[2]: 3 -- Valid
DNS Name: curry5.samintl.com
Advanced Server: 1
CertUtil: -CAInfo command completed successfully.
0
Comment
Question by:leatherleaf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24785066
I think your understanding if this issue is incorrect.  The output so far looks fine, there are probably just some followup tasks you need to do as I am imagining when you renewed the CA cert that you did so using a new keyset.

Your existing certs should be fine as the CRL from the original is still valid.  Looks like you never issued a CRL from the first renewal, but have from this instance.  That CRL needs to be pushed to your CDP locations.

You need to take a copy of this new root CA cert and deploy that to your clients via GPO or whatever methods you have used previously.  Do not remove the old root certificate from GPO, etc. - it is fine (and until you renew all the old certs important) to leave it there.

Since your environment presumably does not trust the new CA cert then that can get in the way of issuance.

Also, check your AIA locations and copy the CA cert to those locations as well.  The new CRLs may have a (2) at the end of the filename, for example RootCA(2).crl for the base crl, RootCA(2)+.crl for the delta if you have one.  If you have a script to copy the CRLs out, if they were specifying the exact file name you may need to adjust that - it may be easiest to just copy *.crl form the certenroll directory.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24785106
After that, you can wait for AD to replicate and if it is 2003/vista/2008 (or xp with 2003 adminpak installed to have access to certutil) then you can issue 'gpupdate /force' (or reboot) to push the new cert down, then 'certutil -pulse' to pulse autoenrollment events.  For xp without the adminpak then you can just do the gpupdate and reboot or wait.  For LDAP servers (usually just your DC's) if they need to renew then you will need to reboot after the new cert is applied to have it used instead of the old cached one.

If you are still having problems, run pkiview.msc and check that.  If still having problems after that, post back and let me know what exactly isn't working and if there are any unique considerations (works for these but not these, etc.)
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24785176
The CA Cert Count just reflects that you had 1 cert originally and that it has been renewed 2 times.  Even though there are 2 that are valid that's perfectly fine.  Normally you should be renewing before the old one expires, so this is not abnormaly behavior.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 24785235
Please note that from the original CA cert (and from the 2nd if you issued any certs from it) you will need to maintain the CRL for it so taht the certs issued from it will remain able to be validated.  If you extended the lifetime of the CRL to CA cert expiration prior to renewal that should be fine.  If not, if you have the original CA cert's private key you can re-sign the CRL using 'certutil -sign filename.crl NEWfilename.crl 90:00" and it will be valid for 90 days, 00 hours (or whatever you set).  You will need to rename NEWfilename.crl to orginal CRL filename when you copy to CDP location.  This does not create a new CRL, but merely updates the validity period of the existing one and can be used as a bandaid fix until everything is moved over to the new root cert.
0
 

Author Closing Comment

by:leatherleaf
ID: 31599608
rewarding points for detail of answer. we actually, though, just ended up uninstalling the root ca and installing on another server which seems to have worked fine for us.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month7 days, 23 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question