Link to home
Create AccountLog in
Avatar of Paul S
Paul SFlag for United States of America

asked on

Renewal Of Windows CA 2008 Root Cert not going well

I just renewed the root certificate for my root certificate authority (CA) server and my entire domain. Old cert 512-bit, new cert 2048-bit. The new certificate shows as trusted on all Domain PC's, but I am worried they will all stop working when they get Microsoft update KB2661254 (this update disabled all certificates under 1024-bit). I use MS certificates to protect my L2TP VPN. So when I try to VPN from home via L2TP and the update installed I get an error about no installed certificate.

So my home PC off of the domain, where I have imported many, many cross and root certificates (old and new), I still see this in the personal cert details.

The Integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered.

If I uninstall the update and install my old cert, the error goes away. What do I need to do to make all my certs work without re-issuing them for the new root cert?

-Windows 2008 CA server (only one CA)
-Single Forest and Single Domain.
Avatar of asavener
Flag of United States of America image

If your new certificate uses the same key and same name, then you will not have to reissue all of your down-level certificates.

Since you are having to change the key, then you will have to reissue them.
Avatar of Paul S


My new cert is using a new key.
Yes, you will need to reissue all of the downlevel certs.
Avatar of Paul S


@ asavener

This article seems to say that new certificates do not need to be issued when the root CA cert key changes, thanks to Cross certificates.

Root CA certificate renewal - PowerShell Crypto Guy's weblog

If your answer is correct then companies with thousands or tens of thousands of certs would have to re-issue ever single one, just because they upgraded their root certificate to a higher encryption level? When Verisign increases the encryption key length, do they email all customers and tell them that their current SSL certs will be broken on a given day and all customers must request a new cert on the upgrade date? I think that would create a DoS attack against their own servers if ALL customers had to get a new certificate on the same day.
I was under the impression that the normal course is to leave the original cert in place, so that certs issued under it would continue to work, and start issuing new down-level certs using the new root cert.
It's always nice to learn something new....
Avatar of Paul S


I would love to do that, but my old cert is being revoked by the Microsoft update. Therefore, I have to make my network function like the old cert is gone.
How about duplicating your current cert and superseding it with the new one.
Avatar of Paul S


how do I do that?
Beleive it or not it is in the Knowledge base articles that you refer to in your opening question KB2661254.

Well actually in that same KB article that is here
in the resolution section, the discussion is on two types of certificates, normal ones where you can actually change the number of bits of the cert and reenroll all certificate holders, or if it is a smartcard cert, then you would have to do what I told you in my other comment(supersede).

I didn't give you details because of the way that you explained your situation, you look like someone who has a pretty solid background on the issue at hand.

Well reenrolling is a basic matter, just open the cert template, change its key size to 2048, would be a good idea to rename it and then ok. Then right click and choose Reenroll certificate holders. The option of a smart card cert, do this

1    Open the Certificate Templates snap-in.

 2   In the details pane, right-click the certificate template that you want to change, and then click Properties.

3    Click the Superseded Templates tab.

4    Click Add.

 5   Click one or more templates to supersede, and then click OK.

6    Make any other changes to the template that you want to include, and click OK.

these six steps I got from here

good luck
Avatar of Paul S


I am trying to find a solution that does not involve issues new certificates to all my hundreds of users. I do not believe it is necessary. My understanding is that Auto-enrollment is only in Windows Enterprise CA. I am using Windows Standard CA.
Avatar of Paul S
Paul S
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Paul S


P.S. Within my existing PKI which uses the 512-bit cert as the root(0) cert, new certificates and a new root(1) cert did not function unless the registry setting is applied.
Actually that change in the registry is in the first article that I provided you. That same thing can be done with certutil,since you are using win2k8, using the command

certutil -setreg chain\minRSAPubKeyBitLength 512
MinRsaPubKeyBitLength is a DWORD value that defines the minimum allowed RSA key length. By default, this value is not present, and the minimum allowed RSA key length is 1024.

You can revert to blocking keys that have a length of less than1024 bits by removing the value. To do this, run the following certutil command:

certutil -delreg chain\MinRsaPubKeyBitLength

Good luck man
Avatar of Paul S


I called Microsoft and this was the solution they recommended.