Solved

Certificate Question

Posted on 2014-01-22
2
400 Views
Last Modified: 2014-02-11
My domain controller is populating the event logs with this following error

20 Jan 2014  09:48:09
Computer: [******************************]
Monitor: [Event Log Monitor]
Description:
* Event Time: 20 Jan 2014 09:41:46
* Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
* Event Log: Application
* Type: Warning
* Event ID: 64
* Event User: N/A
* Certificate for local system with Thumbprint ae 0f 29 10 cd 56 ce be 0e a6 4a 63 8e 84 89 21 c1 cf fd 58 is about to expire or already expired.

I located certificate in the mmc it is under. personal -> certificates....   the server that is issuing the error is the CA and the one that certificate is issued to.

there are 2 certificates that are about identical as far as functionality.
1 that expires in a few weeks and another one that expires in a decade.
the one that expires in a few weeks has one included item..  it says its purpose is for smart card login, remote computer and identifiying itself.  the one that is set to expire in 10 years does not include the smart card login.  can anyone tell me from what I have described

1) what this certificate is for?
2) will the one that expires in a decade insure that we don't lose services associated with the one that is about to expire.

thanks a ton
experts-exchange.jpg
0
Comment
Question by:jamesmetcalf74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Accepted Solution

by:
frankhelk earned 250 total points
ID: 39799852
First, your image does not show the second certificate expiring in a decade (10 years), both expire this year - the first im May, the second in November.

Which certificate the DC is whining abut could be determined by the fingerprint given in the message, you should see it in the details of the certificate.

I've seen that the intended purpose of a certificate could be set in the details - at least I was able to do so at my old XP machine.  Try to find where to set that up by digging into the certificate's details.

If the 2nd certificate would help you, depends on the type of use your DC makes of it ... if you use it for smartcard verification, you have to set it up to be used for that, or buy a sufficient one if that is forbidden.

Nevertheless you should obtain a new certificate, because the expiry of the 2nd one is not that far away, too.
0
 
LVL 2

Assisted Solution

by:CubeOver
CubeOver earned 250 total points
ID: 39801970
The card logon certificate is required for the KDC service, otherwise nobody could logon using smartcards, plus you'd get errors in the Application Log. This is ignorable if you do not use smartcards.

The second certificate is probably the CA root itself. You can compare its thumbprint to the one in CA console. (ADCS - > Properties of the CA -> View Certificate)
You would need to take preemptive actions in order for your PKI to continue smoothly. Renew the certificate and publish it (.CER only! No private key!) in the same GPO where you have the previous root CA, so it is trusted by entities in your domain/forest. Keep the old one as well, for continuity.
It also good time to send the .CER off to third-parties who require trust to your PKI, as those are not covered by your group policy.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question