fisher_king
asked on
CA expiring on Server 2008 R2
I have a Server 2008 R2 server with ADCS. Last April, I replaced the Server 2003 CA (and DC) server and migrated the CA to the 2008 R2 server (also DC). It has the same machine name and I did not create a new CA when I migrated. The following errors recently appeared in the application log:
Source: CertificationAuthority
Event ID: 77
The "Windows default" Policy Module logged the following warning: The Active Directory connection to COMPUTER.DOMAIN.Local has been reestablished to COMPUTER.DOMAIN.Local.
Source: CertificationAuthority
Event ID: 53
Active Directory Certificate Services denied request 11 because The certificate template renewal period is longer than the certificate validity period. The template should be reconfigured or the CA certificate renewed. 0x80094814 (-2146875372). The request was for CN=COMPUTER.DOMAIN.Local. Additional information: Denied by Policy Module Renewing a certificate with the DomainController Certificate Template failed because the renewal overlap period is longer than the certificate validity period.
Looking in the MMC, the CA Certificate expires 1/28/2012. There are also 2 Basic EFS Certificates.
Should I renew the current certificate or create a new one? Can you direct me to step-by-step instructions for the preferred solution?
Thanks.
Source: CertificationAuthority
Event ID: 77
The "Windows default" Policy Module logged the following warning: The Active Directory connection to COMPUTER.DOMAIN.Local has been reestablished to COMPUTER.DOMAIN.Local.
Source: CertificationAuthority
Event ID: 53
Active Directory Certificate Services denied request 11 because The certificate template renewal period is longer than the certificate validity period. The template should be reconfigured or the CA certificate renewed. 0x80094814 (-2146875372). The request was for CN=COMPUTER.DOMAIN.Local. Additional information: Denied by Policy Module Renewing a certificate with the DomainController Certificate Template failed because the renewal overlap period is longer than the certificate validity period.
Looking in the MMC, the CA Certificate expires 1/28/2012. There are also 2 Basic EFS Certificates.
Should I renew the current certificate or create a new one? Can you direct me to step-by-step instructions for the preferred solution?
Thanks.
ghodder
You should renew the existing CA certificate. Any newly granted certificates will be based off it and the CA will automatically begin validating against the new CA certificate once the old one expires
ASKER
Thanks for the reply.
From within the ADCS MMC, do I just right-click on the server, select All Tasks, then Renew CA Certificate?
From within the ADCS MMC, do I just right-click on the server, select All Tasks, then Renew CA Certificate?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Once that process is complete, if you right-click the server and go to properties you will see that you now have 2 CA certificates, and if you look at the details tab of the new certificate you should see that "Previous CA Certificate Hash" matches the "Thumbprint" value in the details of the older certificate meaning the newer certificate can validate certificates generated by the older CA certificate.
ASKER
Thank you very much for the prompt replies and the clear instructions.