Solved

Root Server Certificate is expiring should I take any action ?

Posted on 2015-01-16
5
447 Views
Last Modified: 2015-01-19
Windows Server 2008R2:   In my certificate interface I see a certificate that says servername-root and its expiring soon.  I need to know if I should and how to renew this or does it matter.  I have a Symantec SSL certificate but not sure what this certificate does for the server. Does not seem to have anything to do with SSL.  If I right click on it there is a renew option but not sure what that does either.
0
Comment
Question by:kdschool
  • 2
  • 2
5 Comments
 
LVL 77

Assisted Solution

by:arnold
arnold earned 350 total points
ID: 40554854
Use the Certificate Authority interface if installed to see whether you have.
Who is the issuer of the certificate where you get this notice.

The certificate should say what functions it is authorized for.

Do you have a symantec product, anti-virus security, backup?
0
 
LVL 63

Expert Comment

by:btan
ID: 40554886
Root cert renewal can be hassle esp since it may deems the existing architecture to "break" with new issuance of key to those below the root server like the subordinate and issuing servers. It should not impact the endpoint issued cert per se
Renewing the CA certificate typically doesn't impact the PKI trust chain validation process that your PKI clients use for validating previously issued and newly issued certificates. All previously issued certificates automatically chain up to the old CA certificate and all newly issued certificates automatically chain up to the new CA certificate. This process is possible thanks to the Subject Key Identifier (SKI) in the CA certificate, and the Authority Key Identifier (AKI) and Authority Information Access (AIA) fields in each of the certificates a CA issues.
http://windowsitpro.com/security/q-whats-impact-renewing-enterprise-root-cas-certificate-our-existing-pki-clients-and-subord

... in fact you can reuse the existing same key for the root server... However, it is not for you if are in the stated use cases and so you need new keyset
-CA signing (existing CA key pair) is compromised;
-You have a program that requires a new signing key to be used with a new CA certificate;
-The current CRL file is too large and you want to move some revocation information to a new CRL file.
This is useful link as well when havign a new keyset and noting this
To address this issue (when you use new root CA cert, but it is not deployed to all clients yet) Windows CA generates two cross-certificates.
also do avoid having CA and AD in same server, it complicates...and in all changes do verify backup and existing keyset is alright ..http://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

another - Renewing a certification authority that shares more on various use case for consideration
http://technet.microsoft.com/en-sg/library/cc740209(v=ws.10).aspx
0
 

Author Comment

by:kdschool
ID: 40557559
This is what is says the certificate is used for:  All application policies.  
CN = SERVER NAME - ROOT
OU = BE-HRO
O = Symantec Corporation
L = Heathrow
S = Florida
C = US

I use Symantec back up exec 2012 and Symantec system recovery 2013. My license are up to date. Should I contact Symantec?
0
 
LVL 63

Accepted Solution

by:
btan earned 150 total points
ID: 40557701
So the root cert is the third party one then...since it is pertaining to Symantec certificate. This is the Symantec internal trusted cert that is used for signing its own Symantec products (including the mentioned back up exec and system recovery software files) and is a trusted publisher.You also likely to see its other cert fields as below

Symantec own Certificate Authority is likely VeriSign, Inc.
Subject: CN=Symantec Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=BE-HRO, O=Symantec Corporation, L=Heathrow, S=Florida, C=US
Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Possible related files (filename may varied with version) signed and verified by Symantec (which you should be able to see in the file property) are (but not limited to)
- bkupexec_it.dll, VirtFile.sys, libcatalog.dll etc for Symantec Backup Exec for Windows Servers
- sreapicom.dll, EventMonitors.DLL, ComLicense.dll etc for Symantec System Recovery

So it is better to get Symantec to advise then since this cert is generated by them. I do not think it will impact its s/w software though there may be warning since the publisher is untrusted. Good to check asap with Symantec support and renew as required.

But do note that if your own CA root provisioning in the env for the Symantec product is "untrusted", you likely to see issues surfaced in establishing trust relationships also as shared e.g. http://www.symantec.com/business/support/index?page=content&id=TECH171274
0
 

Author Closing Comment

by:kdschool
ID: 40557828
The first answer helped me solve this problem by finding out who the certificate was issued by.  I contacted Symantec and as the last answer says there is no impact on the products.  They confirmed it was a back up exec certificate and that it would have no impact on the server when it expired as long as my license were up to date. Thanks to everyone on this site  who are just amazing helping us rookies.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question