Link to home
Start Free TrialLog in
Avatar of kdschool
kdschool

asked on

Root Server Certificate is expiring should I take any action ?

Windows Server 2008R2:   In my certificate interface I see a certificate that says servername-root and its expiring soon.  I need to know if I should and how to renew this or does it matter.  I have a Symantec SSL certificate but not sure what this certificate does for the server. Does not seem to have anything to do with SSL.  If I right click on it there is a renew option but not sure what that does either.
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan
Root cert renewal can be hassle esp since it may deems the existing architecture to "break" with new issuance of key to those below the root server like the subordinate and issuing servers. It should not impact the endpoint issued cert per se
Renewing the CA certificate typically doesn't impact the PKI trust chain validation process that your PKI clients use for validating previously issued and newly issued certificates. All previously issued certificates automatically chain up to the old CA certificate and all newly issued certificates automatically chain up to the new CA certificate. This process is possible thanks to the Subject Key Identifier (SKI) in the CA certificate, and the Authority Key Identifier (AKI) and Authority Information Access (AIA) fields in each of the certificates a CA issues.
http://windowsitpro.com/security/q-whats-impact-renewing-enterprise-root-cas-certificate-our-existing-pki-clients-and-subord

... in fact you can reuse the existing same key for the root server... However, it is not for you if are in the stated use cases and so you need new keyset
-CA signing (existing CA key pair) is compromised;
-You have a program that requires a new signing key to be used with a new CA certificate;
-The current CRL file is too large and you want to move some revocation information to a new CRL file.
This is useful link as well when havign a new keyset and noting this
To address this issue (when you use new root CA cert, but it is not deployed to all clients yet) Windows CA generates two cross-certificates.
also do avoid having CA and AD in same server, it complicates...and in all changes do verify backup and existing keyset is alright ..http://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

another - Renewing a certification authority that shares more on various use case for consideration
http://technet.microsoft.com/en-sg/library/cc740209(v=ws.10).aspx
Avatar of kdschool
kdschool

ASKER

This is what is says the certificate is used for:  All application policies.  
CN = SERVER NAME - ROOT
OU = BE-HRO
O = Symantec Corporation
L = Heathrow
S = Florida
C = US

I use Symantec back up exec 2012 and Symantec system recovery 2013. My license are up to date. Should I contact Symantec?
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kdschool
kdschool

ASKER

The first answer helped me solve this problem by finding out who the certificate was issued by.  I contacted Symantec and as the last answer says there is no impact on the products.  They confirmed it was a back up exec certificate and that it would have no impact on the server when it expired as long as my license were up to date. Thanks to everyone on this site  who are just amazing helping us rookies.