Link to home
Create AccountLog in
Avatar of 080813
080813

asked on

Server 2008R2 Intermediate CA service won't start

One of my DC's was an intermediate CA. It issued a certificate to another server in the chain as a second subordinate CA (I do not have a root CA). The original intermediate CA threw a rod so to speak and I could not gracefully reverse engineer it. As part of the process I revoked the issued certificates before it crashed but did not have the chance to uninstall the CA and DCPROMO the box back to a member server.

As a result, I now have trashy metadata and cannot start the CA on the newer server, since I revoked its upstream certificate. Is there a way to kick-start the newer CA - maybe create a root CA and re-issue a new certificate to it? I'm a little perplexed since the chain of events that led to this was pretty unpredictable and I'm hoping I'm not looking at restoring Active Directory or other unpleasantness.

So what does one do when a revoked certificate won't allow a subordinate CA to start the services, and the CA that issued it was lost?
Avatar of WyoComputers
WyoComputers
Flag of United States of America image

I believe its all bad.  I have never personally had that happen to me, but from my understanding, its one of those worst case events.  Hopefully someone has a work-around, but I think there is none.
Avatar of 080813
080813

ASKER

Not the answer I was hoping for. So here's a question - if, in an Active Directory network, you never install a CA in the first place (since it's a small, single domain) what's to stop me from just uninstalling the intermediate CA that's now orphaned and start over? Do I even need one if my client is not encrypting anything? I thought AD issued its own self-signed certificates without a CA present?
ASKER CERTIFIED SOLUTION
Avatar of WyoComputers
WyoComputers
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of 080813

ASKER

Thanks for the links WyoComputers - I'll check them out and get back to you when I have an update. Sounds like you're also saying it's not quite as dire as you first thought, which would be a welcome scenario.
Avatar of 080813

ASKER

Thanks again to you WyoComputers. I often wonder if it drives experts up the wall when people take so long to reply. Since this wasn't an Enterprise PKI but rather a local hirarchy of servers I researched your links and uninstalled the CA no problem. New root, new intermediary, Life is good. Thank you.