Solved

Certificate Question

Posted on 2014-01-22
2
402 Views
Last Modified: 2014-02-11
My domain controller is populating the event logs with this following error

20 Jan 2014  09:48:09
Computer: [******************************]
Monitor: [Event Log Monitor]
Description:
* Event Time: 20 Jan 2014 09:41:46
* Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
* Event Log: Application
* Type: Warning
* Event ID: 64
* Event User: N/A
* Certificate for local system with Thumbprint ae 0f 29 10 cd 56 ce be 0e a6 4a 63 8e 84 89 21 c1 cf fd 58 is about to expire or already expired.

I located certificate in the mmc it is under. personal -> certificates....   the server that is issuing the error is the CA and the one that certificate is issued to.

there are 2 certificates that are about identical as far as functionality.
1 that expires in a few weeks and another one that expires in a decade.
the one that expires in a few weeks has one included item..  it says its purpose is for smart card login, remote computer and identifiying itself.  the one that is set to expire in 10 years does not include the smart card login.  can anyone tell me from what I have described

1) what this certificate is for?
2) will the one that expires in a decade insure that we don't lose services associated with the one that is about to expire.

thanks a ton
experts-exchange.jpg
0
Comment
Question by:jamesmetcalf74
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Accepted Solution

by:
frankhelk earned 250 total points
ID: 39799852
First, your image does not show the second certificate expiring in a decade (10 years), both expire this year - the first im May, the second in November.

Which certificate the DC is whining abut could be determined by the fingerprint given in the message, you should see it in the details of the certificate.

I've seen that the intended purpose of a certificate could be set in the details - at least I was able to do so at my old XP machine.  Try to find where to set that up by digging into the certificate's details.

If the 2nd certificate would help you, depends on the type of use your DC makes of it ... if you use it for smartcard verification, you have to set it up to be used for that, or buy a sufficient one if that is forbidden.

Nevertheless you should obtain a new certificate, because the expiry of the 2nd one is not that far away, too.
0
 
LVL 2

Assisted Solution

by:CubeOver
CubeOver earned 250 total points
ID: 39801970
The card logon certificate is required for the KDC service, otherwise nobody could logon using smartcards, plus you'd get errors in the Application Log. This is ignorable if you do not use smartcards.

The second certificate is probably the CA root itself. You can compare its thumbprint to the one in CA console. (ADCS - > Properties of the CA -> View Certificate)
You would need to take preemptive actions in order for your PKI to continue smoothly. Renew the certificate and publish it (.CER only! No private key!) in the same GPO where you have the previous root CA, so it is trusted by entities in your domain/forest. Keep the old one as well, for continuity.
It also good time to send the .CER off to third-parties who require trust to your PKI, as those are not covered by your group policy.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question