CA expiring on Server 2008 R2

fisher_king used Ask the Experts™
I have a Server 2008 R2 server with ADCS. Last April, I replaced the Server 2003 CA (and DC) server and migrated the CA to the 2008 R2 server (also DC). It has the same machine name and I did not create a new CA when I migrated. The following errors recently appeared in the application log:

Source: CertificationAuthority
Event ID: 77
The "Windows default" Policy Module logged the following warning: The Active Directory connection to COMPUTER.DOMAIN.Local has been reestablished to COMPUTER.DOMAIN.Local.

Source: CertificationAuthority
Event ID: 53
Active Directory Certificate Services denied request 11 because The certificate template renewal period is longer than the certificate validity period. The template should be reconfigured or the CA certificate renewed. 0x80094814 (-2146875372).  The request was for CN=COMPUTER.DOMAIN.Local.  Additional information: Denied by Policy Module  Renewing a certificate with the DomainController Certificate Template failed because the renewal overlap period is longer than the certificate validity period.

Looking in the MMC, the CA Certificate expires 1/28/2012. There are also 2 Basic EFS Certificates.

Should I renew the current certificate or create a new one? Can you direct me to step-by-step instructions for the preferred solution?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

You should renew the existing CA certificate. Any newly granted certificates will be based off it and the CA will automatically begin validating against the new CA certificate once the old one expires


Thanks for the reply.

From within the ADCS MMC, do I just right-click on the server, select All Tasks, then Renew CA Certificate?
The steps would be

Login to CA server
Open Certification Authority MMC
Right-click your CA server name in the left tree
Open "All Tasks"
Select "Renew CA certificate"
You will be prompted that Certificate Services needs to stop, click OK
Follow the wizard which will restart Certificate Services at the end

Open in new window

Once that process is complete, if you right-click the server and go to properties you will see that you now have 2 CA certificates, and if you look at the details tab of the new certificate you should see that "Previous CA Certificate Hash" matches the "Thumbprint" value in the details of the older certificate meaning the newer certificate can validate certificates generated by the older CA certificate.


Thank you very much for the prompt replies and the clear instructions.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial