Solved

Expired Root CA

Posted on 2010-09-08
6
595 Views
Last Modified: 2012-06-22
Hi,
we have a windows 2003 CA enterprise auth to allow us to self sign certs internally.  when we tried to renew a cert we could not view the templates or make new requests

After further investigation i have found that the root ca server/cert has expired today so everthing looking up the chain will fail i assume.

Is their a way of renewing this even though it has expired, also, if it can be rened then what impact may the have on the self signed certs alreay used.  will these stop working as it is a different ca cert with a different key?

Thanks
0
Comment
Question by:phillbl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 188 total points
ID: 33633213
The self-sign CA is often valid for 10 to 20 years.  check the CA cert path to make sure that his is not an intemediary.
renewing the self-signed CA should solve the issue.
The certificates will have an error pointing to the CA that has expired.
0
 

Author Comment

by:phillbl
ID: 33633239
hi,
where is the CA path that shows it matbe an intermediary & if the certs have an error pointing that the CA has expired, will they still work?
Thanks
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 188 total points
ID: 33636045
Look in the issued certificates within the CA authority to see which certificate was used to issue them.

The update/renew CA certificate adds a new one, but does not resolve the issue with the CA expired. You'd likely see something like:

The certificates that were signed by this CA should not exceed the CA expiry date.  Once you renew the CA, you would likely need to renew/resign the other certificates.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 78

Assisted Solution

by:arnold
arnold earned 188 total points
ID: 33640311
If you have autoenroll configured, once the CA certificate is renewed and propagates through the AD, the other systems will resubmit their requests to renew their certificates. As long as you have your CA system setup to issue rather than place the requests in the pending queue, the new certificates will be issued.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 62 total points
ID: 33642211
the root would be valid for whatever it got configured for... see if the subject and issuer are the same - if they are then its the root.

Here's the generic directions:
http://technet.microsoft.com/en-us/library/cc780374%28WS.10%29.aspx

In this case you might as well use new keys since you will need to deploy the new cert anyways.  Renewing the certificate is the way to make sure you aren't using the same keys for too long.

Prior to renewal, check to see if there is a 'capolicy.inf' file in %systemroot% (c:\windows or c:\winnt).  If so, you might try adding or modifying the following under [certsrv_server] section:
RenewalKeyLength=2048
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=Years

use 20 years for an offline root, 10 for an offline policy / intermediate tier (if applicable), or 5 years for any online CA.

Set a calendar reminder or something to go off in 1/2 the lifetime of the cert (e.g. in 10 years for a 20 year cert) to renew it so you don't run into a downtime scenario.  Using a half life keeps things from overlapping the CA cert's expiration date so everything doesn't expire all on the same day is what just happened today for you.
0
 

Author Closing Comment

by:phillbl
ID: 33643844
thanks for the information.  very good answers
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question