Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Expired Root CA

Posted on 2010-09-08
6
Medium Priority
?
600 Views
Last Modified: 2012-06-22
Hi,
we have a windows 2003 CA enterprise auth to allow us to self sign certs internally.  when we tried to renew a cert we could not view the templates or make new requests

After further investigation i have found that the root ca server/cert has expired today so everthing looking up the chain will fail i assume.

Is their a way of renewing this even though it has expired, also, if it can be rened then what impact may the have on the self signed certs alreay used.  will these stop working as it is a different ca cert with a different key?

Thanks
0
Comment
Question by:phillbl
  • 3
  • 2
6 Comments
 
LVL 80

Accepted Solution

by:
arnold earned 752 total points
ID: 33633213
The self-sign CA is often valid for 10 to 20 years.  check the CA cert path to make sure that his is not an intemediary.
renewing the self-signed CA should solve the issue.
The certificates will have an error pointing to the CA that has expired.
0
 

Author Comment

by:phillbl
ID: 33633239
hi,
where is the CA path that shows it matbe an intermediary & if the certs have an error pointing that the CA has expired, will they still work?
Thanks
0
 
LVL 80

Assisted Solution

by:arnold
arnold earned 752 total points
ID: 33636045
Look in the issued certificates within the CA authority to see which certificate was used to issue them.

The update/renew CA certificate adds a new one, but does not resolve the issue with the CA expired. You'd likely see something like:

The certificates that were signed by this CA should not exceed the CA expiry date.  Once you renew the CA, you would likely need to renew/resign the other certificates.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 80

Assisted Solution

by:arnold
arnold earned 752 total points
ID: 33640311
If you have autoenroll configured, once the CA certificate is renewed and propagates through the AD, the other systems will resubmit their requests to renew their certificates. As long as you have your CA system setup to issue rather than place the requests in the pending queue, the new certificates will be issued.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 248 total points
ID: 33642211
the root would be valid for whatever it got configured for... see if the subject and issuer are the same - if they are then its the root.

Here's the generic directions:
http://technet.microsoft.com/en-us/library/cc780374%28WS.10%29.aspx

In this case you might as well use new keys since you will need to deploy the new cert anyways.  Renewing the certificate is the way to make sure you aren't using the same keys for too long.

Prior to renewal, check to see if there is a 'capolicy.inf' file in %systemroot% (c:\windows or c:\winnt).  If so, you might try adding or modifying the following under [certsrv_server] section:
RenewalKeyLength=2048
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=Years

use 20 years for an offline root, 10 for an offline policy / intermediate tier (if applicable), or 5 years for any online CA.

Set a calendar reminder or something to go off in 1/2 the lifetime of the cert (e.g. in 10 years for a 20 year cert) to renew it so you don't run into a downtime scenario.  Using a half life keeps things from overlapping the CA cert's expiration date so everything doesn't expire all on the same day is what just happened today for you.
0
 

Author Closing Comment

by:phillbl
ID: 33643844
thanks for the information.  very good answers
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question