Solved

Expired Root CA

Posted on 2010-09-08
6
597 Views
Last Modified: 2012-06-22
Hi,
we have a windows 2003 CA enterprise auth to allow us to self sign certs internally.  when we tried to renew a cert we could not view the templates or make new requests

After further investigation i have found that the root ca server/cert has expired today so everthing looking up the chain will fail i assume.

Is their a way of renewing this even though it has expired, also, if it can be rened then what impact may the have on the self signed certs alreay used.  will these stop working as it is a different ca cert with a different key?

Thanks
0
Comment
Question by:phillbl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 188 total points
ID: 33633213
The self-sign CA is often valid for 10 to 20 years.  check the CA cert path to make sure that his is not an intemediary.
renewing the self-signed CA should solve the issue.
The certificates will have an error pointing to the CA that has expired.
0
 

Author Comment

by:phillbl
ID: 33633239
hi,
where is the CA path that shows it matbe an intermediary & if the certs have an error pointing that the CA has expired, will they still work?
Thanks
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 188 total points
ID: 33636045
Look in the issued certificates within the CA authority to see which certificate was used to issue them.

The update/renew CA certificate adds a new one, but does not resolve the issue with the CA expired. You'd likely see something like:

The certificates that were signed by this CA should not exceed the CA expiry date.  Once you renew the CA, you would likely need to renew/resign the other certificates.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 79

Assisted Solution

by:arnold
arnold earned 188 total points
ID: 33640311
If you have autoenroll configured, once the CA certificate is renewed and propagates through the AD, the other systems will resubmit their requests to renew their certificates. As long as you have your CA system setup to issue rather than place the requests in the pending queue, the new certificates will be issued.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 62 total points
ID: 33642211
the root would be valid for whatever it got configured for... see if the subject and issuer are the same - if they are then its the root.

Here's the generic directions:
http://technet.microsoft.com/en-us/library/cc780374%28WS.10%29.aspx

In this case you might as well use new keys since you will need to deploy the new cert anyways.  Renewing the certificate is the way to make sure you aren't using the same keys for too long.

Prior to renewal, check to see if there is a 'capolicy.inf' file in %systemroot% (c:\windows or c:\winnt).  If so, you might try adding or modifying the following under [certsrv_server] section:
RenewalKeyLength=2048
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=Years

use 20 years for an offline root, 10 for an offline policy / intermediate tier (if applicable), or 5 years for any online CA.

Set a calendar reminder or something to go off in 1/2 the lifetime of the cert (e.g. in 10 years for a 20 year cert) to renew it so you don't run into a downtime scenario.  Using a half life keeps things from overlapping the CA cert's expiration date so everything doesn't expire all on the same day is what just happened today for you.
0
 

Author Closing Comment

by:phillbl
ID: 33643844
thanks for the information.  very good answers
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question