Certificate Question

My domain controller is populating the event logs with this following error

20 Jan 2014  09:48:09
Computer: [******************************]
Monitor: [Event Log Monitor]
Description:
* Event Time: 20 Jan 2014 09:41:46
* Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
* Event Log: Application
* Type: Warning
* Event ID: 64
* Event User: N/A
* Certificate for local system with Thumbprint ae 0f 29 10 cd 56 ce be 0e a6 4a 63 8e 84 89 21 c1 cf fd 58 is about to expire or already expired.

I located certificate in the mmc it is under. personal -> certificates....   the server that is issuing the error is the CA and the one that certificate is issued to.

there are 2 certificates that are about identical as far as functionality.
1 that expires in a few weeks and another one that expires in a decade.
the one that expires in a few weeks has one included item..  it says its purpose is for smart card login, remote computer and identifiying itself.  the one that is set to expire in 10 years does not include the smart card login.  can anyone tell me from what I have described

1) what this certificate is for?
2) will the one that expires in a decade insure that we don't lose services associated with the one that is about to expire.

thanks a ton
experts-exchange.jpg
jamesmetcalf74Asked:
Who is Participating?
 
frankhelkConnect With a Mentor Commented:
First, your image does not show the second certificate expiring in a decade (10 years), both expire this year - the first im May, the second in November.

Which certificate the DC is whining abut could be determined by the fingerprint given in the message, you should see it in the details of the certificate.

I've seen that the intended purpose of a certificate could be set in the details - at least I was able to do so at my old XP machine.  Try to find where to set that up by digging into the certificate's details.

If the 2nd certificate would help you, depends on the type of use your DC makes of it ... if you use it for smartcard verification, you have to set it up to be used for that, or buy a sufficient one if that is forbidden.

Nevertheless you should obtain a new certificate, because the expiry of the 2nd one is not that far away, too.
0
 
CubeOverConnect With a Mentor Commented:
The card logon certificate is required for the KDC service, otherwise nobody could logon using smartcards, plus you'd get errors in the Application Log. This is ignorable if you do not use smartcards.

The second certificate is probably the CA root itself. You can compare its thumbprint to the one in CA console. (ADCS - > Properties of the CA -> View Certificate)
You would need to take preemptive actions in order for your PKI to continue smoothly. Renew the certificate and publish it (.CER only! No private key!) in the same GPO where you have the previous root CA, so it is trusted by entities in your domain/forest. Keep the old one as well, for continuity.
It also good time to send the .CER off to third-parties who require trust to your PKI, as those are not covered by your group policy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.