Renew Stand Alone CA

jrobison used Ask the Experts™
I have a 2003 stand alone root CA whose issued certificates are going to expire on 11/19. This is a 32 bit 2003 enterprise OS.  My questions are these.

1.  If i renwen the CA certificate on this server will all the certificates issued by this server work anymore?  Will I need to export the new cert (once the CA has been renewed) and deploy them via GPO ?

2. Can I do an in place upgrade of this server to 08 enterprise. Do a backup of the CA and then import the backup to a new (stand alone) system and then renew the CA and certificates that are out there on my users machines. The name of the server will remain the same.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Question 1:
In short yes you can renew with uninterrupted service

Question 2:
Yes you can backup server 2003 CA - > recover 2008 CA.  The certificate database that is used for both servers are unchanged and read the same way.  As long as the server name is identical, including the FQDN,
Good read on 03-08  CA upgrade:

also helpful:


So you're saying that if I renew my (Stand Alone CA) using the steps in this MS KB that the issued certificate I have on my PC (that's set to expire on the 19th) will still work, or be extended for what ever period I choose when I renew the server ? This is a stand alone server with no automatic enrollment.

Well the CA certificate will renew for the validity period it was originally set at.  The Certificate on the PC should renew itself as instructed from the template that it was issued from.  Typically if set to a 1 year validity period the renewal is set to attempt to renew the certificate 6 weeks before the expiration.  

You can also force the certificate to re-enroll.  To do this right click the template used to originally create the certificate and choose "Reenroll all certificate holders".  When the user logs in the version of the certificate is examined and compared.  If the template increment is newer they will be re-enrolled.  

It shouldn't matter if auto enrollment is selected or not.  It just means that you will have to check the pending certificates and Issue any that are waiting to be processed.

Also, if this is an offline CA, you will need to bring it online in order for any of the certificates to renew during their correct time frame.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

I don't think these were created from a template.  I beleive the server was setup as a stand alone CA. Someone then connected to the certsrv URL http://servername/certsrv selected the option download certificate. Saved that certificate file and then deployed it via the helpdesk tech's as new PC's hit the domain. I don't think they used a GPO to deploy the cert because I've looked for that and I don't see anything.

If this is the case, I think I'll have to do the following.

1. Renew the CA certificate on the server
2. Connect to the certsrv url http://servername/certsrv
3. Download the certificate (save it)
4. Deploy the cert via a GPO

Am I wrong ?
The certificate had to be created from a template, unless it is the actual CA certificate that is being used.  And if it is just the CA Cert that is being distributed then yes you will have to go to the url and download the certificate after being renewed and deploy that cert.  One easy way to tell is go to a PC that has the cert and do the following:

Start -> Run -> MMC
File -> Add/Remove Snap-in
Click "Add"
Choose Certificates and then User or Computer (Wherever that cert is stored)
Then Find the certificate and open it.  Check the thumbprint, name (or just look at the certificate path to see if it is the only one) and compare it to the CA cert.


They are identical.  


How do you create a template ?  Do you have to install an Enterprise CA on the Domain ?


In our case, it was easier to simply renew the certificate on the existing CA and then request a renewed cert from the server using the CertSrv URL.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial