Solved

Expired Root CA

Posted on 2010-09-08
6
593 Views
Last Modified: 2012-06-22
Hi,
we have a windows 2003 CA enterprise auth to allow us to self sign certs internally.  when we tried to renew a cert we could not view the templates or make new requests

After further investigation i have found that the root ca server/cert has expired today so everthing looking up the chain will fail i assume.

Is their a way of renewing this even though it has expired, also, if it can be rened then what impact may the have on the self signed certs alreay used.  will these stop working as it is a different ca cert with a different key?

Thanks
0
Comment
Question by:phillbl
  • 3
  • 2
6 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 188 total points
ID: 33633213
The self-sign CA is often valid for 10 to 20 years.  check the CA cert path to make sure that his is not an intemediary.
renewing the self-signed CA should solve the issue.
The certificates will have an error pointing to the CA that has expired.
0
 

Author Comment

by:phillbl
ID: 33633239
hi,
where is the CA path that shows it matbe an intermediary & if the certs have an error pointing that the CA has expired, will they still work?
Thanks
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 188 total points
ID: 33636045
Look in the issued certificates within the CA authority to see which certificate was used to issue them.

The update/renew CA certificate adds a new one, but does not resolve the issue with the CA expired. You'd likely see something like:

The certificates that were signed by this CA should not exceed the CA expiry date.  Once you renew the CA, you would likely need to renew/resign the other certificates.
0
Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

 
LVL 77

Assisted Solution

by:arnold
arnold earned 188 total points
ID: 33640311
If you have autoenroll configured, once the CA certificate is renewed and propagates through the AD, the other systems will resubmit their requests to renew their certificates. As long as you have your CA system setup to issue rather than place the requests in the pending queue, the new certificates will be issued.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 62 total points
ID: 33642211
the root would be valid for whatever it got configured for... see if the subject and issuer are the same - if they are then its the root.

Here's the generic directions:
http://technet.microsoft.com/en-us/library/cc780374%28WS.10%29.aspx

In this case you might as well use new keys since you will need to deploy the new cert anyways.  Renewing the certificate is the way to make sure you aren't using the same keys for too long.

Prior to renewal, check to see if there is a 'capolicy.inf' file in %systemroot% (c:\windows or c:\winnt).  If so, you might try adding or modifying the following under [certsrv_server] section:
RenewalKeyLength=2048
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=Years

use 20 years for an offline root, 10 for an offline policy / intermediate tier (if applicable), or 5 years for any online CA.

Set a calendar reminder or something to go off in 1/2 the lifetime of the cert (e.g. in 10 years for a 20 year cert) to renew it so you don't run into a downtime scenario.  Using a half life keeps things from overlapping the CA cert's expiration date so everything doesn't expire all on the same day is what just happened today for you.
0
 

Author Closing Comment

by:phillbl
ID: 33643844
thanks for the information.  very good answers
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Event ID 10010 3 59
How to creare arabic email address and mx record 4 48
disable Win7 network security 2 137
OPINIONS please : best Active Directory Monitoring tool 5 135
Log files are useful in diagnosing and repairing problems.  This is a list of common log files and their standard locations that I've compiled.   While this is not exhaustive, it is a pretty good list that I've found to be useful.  I may update it f…
Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question