Solved

Certificate Question

Posted on 2014-01-22
2
397 Views
Last Modified: 2014-02-11
My domain controller is populating the event logs with this following error

20 Jan 2014  09:48:09
Computer: [******************************]
Monitor: [Event Log Monitor]
Description:
* Event Time: 20 Jan 2014 09:41:46
* Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
* Event Log: Application
* Type: Warning
* Event ID: 64
* Event User: N/A
* Certificate for local system with Thumbprint ae 0f 29 10 cd 56 ce be 0e a6 4a 63 8e 84 89 21 c1 cf fd 58 is about to expire or already expired.

I located certificate in the mmc it is under. personal -> certificates....   the server that is issuing the error is the CA and the one that certificate is issued to.

there are 2 certificates that are about identical as far as functionality.
1 that expires in a few weeks and another one that expires in a decade.
the one that expires in a few weeks has one included item..  it says its purpose is for smart card login, remote computer and identifiying itself.  the one that is set to expire in 10 years does not include the smart card login.  can anyone tell me from what I have described

1) what this certificate is for?
2) will the one that expires in a decade insure that we don't lose services associated with the one that is about to expire.

thanks a ton
experts-exchange.jpg
0
Comment
Question by:jamesmetcalf74
2 Comments
 
LVL 14

Accepted Solution

by:
frankhelk earned 250 total points
ID: 39799852
First, your image does not show the second certificate expiring in a decade (10 years), both expire this year - the first im May, the second in November.

Which certificate the DC is whining abut could be determined by the fingerprint given in the message, you should see it in the details of the certificate.

I've seen that the intended purpose of a certificate could be set in the details - at least I was able to do so at my old XP machine.  Try to find where to set that up by digging into the certificate's details.

If the 2nd certificate would help you, depends on the type of use your DC makes of it ... if you use it for smartcard verification, you have to set it up to be used for that, or buy a sufficient one if that is forbidden.

Nevertheless you should obtain a new certificate, because the expiry of the 2nd one is not that far away, too.
0
 
LVL 2

Assisted Solution

by:CubeOver
CubeOver earned 250 total points
ID: 39801970
The card logon certificate is required for the KDC service, otherwise nobody could logon using smartcards, plus you'd get errors in the Application Log. This is ignorable if you do not use smartcards.

The second certificate is probably the CA root itself. You can compare its thumbprint to the one in CA console. (ADCS - > Properties of the CA -> View Certificate)
You would need to take preemptive actions in order for your PKI to continue smoothly. Renew the certificate and publish it (.CER only! No private key!) in the same GPO where you have the previous root CA, so it is trusted by entities in your domain/forest. Keep the old one as well, for continuity.
It also good time to send the .CER off to third-parties who require trust to your PKI, as those are not covered by your group policy.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question