Solved

Root Server Certificate is expiring should I take any action ?

Posted on 2015-01-16
5
391 Views
Last Modified: 2015-01-19
Windows Server 2008R2:   In my certificate interface I see a certificate that says servername-root and its expiring soon.  I need to know if I should and how to renew this or does it matter.  I have a Symantec SSL certificate but not sure what this certificate does for the server. Does not seem to have anything to do with SSL.  If I right click on it there is a renew option but not sure what that does either.
0
Comment
Question by:kdschool
  • 2
  • 2
5 Comments
 
LVL 76

Assisted Solution

by:arnold
arnold earned 350 total points
ID: 40554854
Use the Certificate Authority interface if installed to see whether you have.
Who is the issuer of the certificate where you get this notice.

The certificate should say what functions it is authorized for.

Do you have a symantec product, anti-virus security, backup?
0
 
LVL 61

Expert Comment

by:btan
ID: 40554886
Root cert renewal can be hassle esp since it may deems the existing architecture to "break" with new issuance of key to those below the root server like the subordinate and issuing servers. It should not impact the endpoint issued cert per se
Renewing the CA certificate typically doesn't impact the PKI trust chain validation process that your PKI clients use for validating previously issued and newly issued certificates. All previously issued certificates automatically chain up to the old CA certificate and all newly issued certificates automatically chain up to the new CA certificate. This process is possible thanks to the Subject Key Identifier (SKI) in the CA certificate, and the Authority Key Identifier (AKI) and Authority Information Access (AIA) fields in each of the certificates a CA issues.
http://windowsitpro.com/security/q-whats-impact-renewing-enterprise-root-cas-certificate-our-existing-pki-clients-and-subord

... in fact you can reuse the existing same key for the root server... However, it is not for you if are in the stated use cases and so you need new keyset
-CA signing (existing CA key pair) is compromised;
-You have a program that requires a new signing key to be used with a new CA certificate;
-The current CRL file is too large and you want to move some revocation information to a new CRL file.
This is useful link as well when havign a new keyset and noting this
To address this issue (when you use new root CA cert, but it is not deployed to all clients yet) Windows CA generates two cross-certificates.
also do avoid having CA and AD in same server, it complicates...and in all changes do verify backup and existing keyset is alright ..http://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

another - Renewing a certification authority that shares more on various use case for consideration
http://technet.microsoft.com/en-sg/library/cc740209(v=ws.10).aspx
0
 

Author Comment

by:kdschool
ID: 40557559
This is what is says the certificate is used for:  All application policies.  
CN = SERVER NAME - ROOT
OU = BE-HRO
O = Symantec Corporation
L = Heathrow
S = Florida
C = US

I use Symantec back up exec 2012 and Symantec system recovery 2013. My license are up to date. Should I contact Symantec?
0
 
LVL 61

Accepted Solution

by:
btan earned 150 total points
ID: 40557701
So the root cert is the third party one then...since it is pertaining to Symantec certificate. This is the Symantec internal trusted cert that is used for signing its own Symantec products (including the mentioned back up exec and system recovery software files) and is a trusted publisher.You also likely to see its other cert fields as below

Symantec own Certificate Authority is likely VeriSign, Inc.
Subject: CN=Symantec Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=BE-HRO, O=Symantec Corporation, L=Heathrow, S=Florida, C=US
Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Possible related files (filename may varied with version) signed and verified by Symantec (which you should be able to see in the file property) are (but not limited to)
- bkupexec_it.dll, VirtFile.sys, libcatalog.dll etc for Symantec Backup Exec for Windows Servers
- sreapicom.dll, EventMonitors.DLL, ComLicense.dll etc for Symantec System Recovery

So it is better to get Symantec to advise then since this cert is generated by them. I do not think it will impact its s/w software though there may be warning since the publisher is untrusted. Good to check asap with Symantec support and renew as required.

But do note that if your own CA root provisioning in the env for the Symantec product is "untrusted", you likely to see issues surfaced in establishing trust relationships also as shared e.g. http://www.symantec.com/business/support/index?page=content&id=TECH171274
0
 

Author Closing Comment

by:kdschool
ID: 40557828
The first answer helped me solve this problem by finding out who the certificate was issued by.  I contacted Symantec and as the last answer says there is no impact on the products.  They confirmed it was a back up exec certificate and that it would have no impact on the server when it expired as long as my license were up to date. Thanks to everyone on this site  who are just amazing helping us rookies.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Hi all, It is important and often overlooked to understand “Database properties”. Often we see questions about "log files" or "where is the database" and one of the easiest ways to get general information about your database is to use “Database p…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now