Solved

Renewing Microsoft root CA certificate

Posted on 2014-07-25
5
516 Views
Last Modified: 2014-09-15
Hi expert,

we have an ActiveDirectory and a Microsoft CA here.
The certificate of that CA will expire in August, 2015.

Because we don`t want (client-)certificates with  retention periods < 1 year, we have to rene the CA-certificate next month.
So as I saw, there is the possibility to create a new pair of keys or to use the existings one.
My currently issued certificates must be valid after renewal. Does this mean, that I have to keep the existing pair of keys?

Will renewing with the existing pair affect any already issued certificates, or will they work on until their end date?

And I have one problem:
When right-clicking the root-CA I see 2 root certifactes, that are valid at the Moment (Nr.2, Nr.3).
Thre are 2 old certificates (Nr.0, Nr.1) that are expired.

Is this nomal?
Why are there 2 certificates?
Do I have to renew both certificates?

I hope that renewing process will be straight forward.

Thanks in advance for your answers.

Best regards
Roland
0
Comment
Question by:Systemadministration
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 40220336
You can renew CA certificate with either new key pair or same key pair, it does not matter
When you generate a new key pair for a CA that is being renewed, a new certificate revocation list (CRL) distribution point is also created. This is to ensure that the key used to sign a certificate issued by the CA also matches the key used to sign the CRL
Or you can use existing key pair if wanted to.

The already issued certs have their expiry date set \ hardcoded in issued certificate itself, so they will expire at that time, you cannot extend there expiry date by renewing CA certificate, after you renew CA certificate, the new certificates that CA will issue will get full \ proper expiry period that is mentioned in certificate template

Important thing, CA cannot issue certificates with more validity period than its own certificate expiry period
Hence you need to renew CA certificate with either existing pair \ new pair before its certificate gets expired otherwise all your issued certificate will automatically get expired. Furthermore I guess you still need to renew your existing issued certs as well because there expiry date also might be equal \ less than CA certificate expiry date.
you cannot renew expired certificate. You have to renew it before it expires. Otherwise you need to request new certificate

Last thing, the certificates with No.0 and 1 are expired as per there validity period and that is why you have renewed No.2 and 3 later on.
hence its normal
You need to renew the last certificate (No.3) only

Check below topic in this http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx MS article
The validity period of a CA and the validity period of the certificates it issues
1
 

Author Comment

by:Systemadministration
ID: 40223595
Thank you for your answer!
So there will be no risk when renewing the cert?

I don`t understand why there is No. 2 and No.3 with the same expiry date.
Why are there 2 valid certificates and not just one?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 400 total points
ID: 40225064
Yes, definitely no risk

Your administrator must have renewed CA root certificate multiple times causing you found 2 and 3 certificates.

Even there are multiple valid CA certs only the most recent CA certificate is used for new certificate request signing.
You can check both certificate validity in certificate properties, as already stated earlier Certificate NO.3 must be recent certificate.
0
 

Author Comment

by:Systemadministration
ID: 40238341
OK, it seems,that there were two root-certificates renwed last time.
But in certificate list I see only cetificates which use the No. 3 as root certificate.
Ich will renew No. 3 tommorow and hope I will be save.

No.2 will expire in August and No.3 should stay valid.

Right?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40238368
Yes, That's right.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question