Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Certificate Question

Posted on 2014-01-22
2
Medium Priority
?
416 Views
Last Modified: 2014-02-11
My domain controller is populating the event logs with this following error

20 Jan 2014  09:48:09
Computer: [******************************]
Monitor: [Event Log Monitor]
Description:
* Event Time: 20 Jan 2014 09:41:46
* Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
* Event Log: Application
* Type: Warning
* Event ID: 64
* Event User: N/A
* Certificate for local system with Thumbprint ae 0f 29 10 cd 56 ce be 0e a6 4a 63 8e 84 89 21 c1 cf fd 58 is about to expire or already expired.

I located certificate in the mmc it is under. personal -> certificates....   the server that is issuing the error is the CA and the one that certificate is issued to.

there are 2 certificates that are about identical as far as functionality.
1 that expires in a few weeks and another one that expires in a decade.
the one that expires in a few weeks has one included item..  it says its purpose is for smart card login, remote computer and identifiying itself.  the one that is set to expire in 10 years does not include the smart card login.  can anyone tell me from what I have described

1) what this certificate is for?
2) will the one that expires in a decade insure that we don't lose services associated with the one that is about to expire.

thanks a ton
experts-exchange.jpg
0
Comment
Question by:jamesmetcalf74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Accepted Solution

by:
frankhelk earned 1000 total points
ID: 39799852
First, your image does not show the second certificate expiring in a decade (10 years), both expire this year - the first im May, the second in November.

Which certificate the DC is whining abut could be determined by the fingerprint given in the message, you should see it in the details of the certificate.

I've seen that the intended purpose of a certificate could be set in the details - at least I was able to do so at my old XP machine.  Try to find where to set that up by digging into the certificate's details.

If the 2nd certificate would help you, depends on the type of use your DC makes of it ... if you use it for smartcard verification, you have to set it up to be used for that, or buy a sufficient one if that is forbidden.

Nevertheless you should obtain a new certificate, because the expiry of the 2nd one is not that far away, too.
0
 
LVL 2

Assisted Solution

by:CubeOver
CubeOver earned 1000 total points
ID: 39801970
The card logon certificate is required for the KDC service, otherwise nobody could logon using smartcards, plus you'd get errors in the Application Log. This is ignorable if you do not use smartcards.

The second certificate is probably the CA root itself. You can compare its thumbprint to the one in CA console. (ADCS - > Properties of the CA -> View Certificate)
You would need to take preemptive actions in order for your PKI to continue smoothly. Renew the certificate and publish it (.CER only! No private key!) in the same GPO where you have the previous root CA, so it is trusted by entities in your domain/forest. Keep the old one as well, for continuity.
It also good time to send the .CER off to third-parties who require trust to your PKI, as those are not covered by your group policy.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question