Solved

Expired Root CA

Posted on 2010-09-08
6
591 Views
Last Modified: 2012-06-22
Hi,
we have a windows 2003 CA enterprise auth to allow us to self sign certs internally.  when we tried to renew a cert we could not view the templates or make new requests

After further investigation i have found that the root ca server/cert has expired today so everthing looking up the chain will fail i assume.

Is their a way of renewing this even though it has expired, also, if it can be rened then what impact may the have on the self signed certs alreay used.  will these stop working as it is a different ca cert with a different key?

Thanks
0
Comment
Question by:phillbl
  • 3
  • 2
6 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 188 total points
ID: 33633213
The self-sign CA is often valid for 10 to 20 years.  check the CA cert path to make sure that his is not an intemediary.
renewing the self-signed CA should solve the issue.
The certificates will have an error pointing to the CA that has expired.
0
 

Author Comment

by:phillbl
ID: 33633239
hi,
where is the CA path that shows it matbe an intermediary & if the certs have an error pointing that the CA has expired, will they still work?
Thanks
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 188 total points
ID: 33636045
Look in the issued certificates within the CA authority to see which certificate was used to issue them.

The update/renew CA certificate adds a new one, but does not resolve the issue with the CA expired. You'd likely see something like:

The certificates that were signed by this CA should not exceed the CA expiry date.  Once you renew the CA, you would likely need to renew/resign the other certificates.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Assisted Solution

by:arnold
arnold earned 188 total points
ID: 33640311
If you have autoenroll configured, once the CA certificate is renewed and propagates through the AD, the other systems will resubmit their requests to renew their certificates. As long as you have your CA system setup to issue rather than place the requests in the pending queue, the new certificates will be issued.
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 62 total points
ID: 33642211
the root would be valid for whatever it got configured for... see if the subject and issuer are the same - if they are then its the root.

Here's the generic directions:
http://technet.microsoft.com/en-us/library/cc780374%28WS.10%29.aspx

In this case you might as well use new keys since you will need to deploy the new cert anyways.  Renewing the certificate is the way to make sure you aren't using the same keys for too long.

Prior to renewal, check to see if there is a 'capolicy.inf' file in %systemroot% (c:\windows or c:\winnt).  If so, you might try adding or modifying the following under [certsrv_server] section:
RenewalKeyLength=2048
RenewalValidityPeriodUnits=20
RenewalValidityPeriod=Years

use 20 years for an offline root, 10 for an offline policy / intermediate tier (if applicable), or 5 years for any online CA.

Set a calendar reminder or something to go off in 1/2 the lifetime of the cert (e.g. in 10 years for a 20 year cert) to renew it so you don't run into a downtime scenario.  Using a half life keeps things from overlapping the CA cert's expiration date so everything doesn't expire all on the same day is what just happened today for you.
0
 

Author Closing Comment

by:phillbl
ID: 33643844
thanks for the information.  very good answers
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

My purpose is to describe the basic concepts of virtual memory as implemented in a modern Windows-based operating system. I will also describe the problems inherent in older systems and how virtual memory solves them. The dark ages - before virtu…
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now