Automatic certificate enrollment for local system failed (0x800b0101)


One of clients has a very simple domain, with 2 x W2008 R2 Domain Controllers and an Exchange Server 2010 server.

For some reason the Exchange server is the Certification Authority and 2 of the certificates expired in December 2015.

The Domain Controller now gets;

  -  Event ID: 64 - Certificate for local system with Thumbprint xxxxxxxxxx  is about to expire or already expired
  -  Event ID: 6 - Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
  -  Event ID: 13 - Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from "ServerName01-CA" (A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)).

and the same Event ID: 13 for a "DirectoryEmailReplication" certificate.

It seems relatively simple, that the certs have expired and, as we can't renew, we have to create new ones, but I'm unsure how to go about this.

Any pointers would be appreciated.

Thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
What are the certs being used for?  If they're being used for Exchange, the easiest way to renew them would be to do it on the Exchange server.  You can use Powershell to do this. Here's an article that runs through the steps:
tfindingAuthor Commented:
Hi Hypercat

Many thanks for your comment. They are not Exchange but Domain certificates;

  -  Domain Controller Authentication
  -  Directory Email Replication

The reasoning for the mention of Exchange is because the CA is installed on the Exchange Server (not sure why).

The errors are on the Domain Controller.
Hypercat (Deb)Commented:
Have you rebooted the server recently?  If not, try that first, since it may renew automatically when you restart.

Otherwise, you should be able to renew it using the Certificates snapin. I think you can do this from either server.  Here's a basic article from TechNet with links for additional info:
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

tfindingAuthor Commented:
Hi - I think the problem lies with the fact that the 2 certificates have expired and they weren't renewed in time.

The certificates reside on the Domain Controller & not the CA. If I try to renew it on the DC, I get;

  -  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid CA configured to issue certificates based on this template cannot be located or the CA does not support this operation, or the CA is not trusted"

If I try to request a new certificate (under Personal > Certificates) on the CA, I also get;

  -  "You cannot request a certificate at this time because no certificate types are available. If you need a certificate please contact your administrator."

I'm logged in as the Domain Admin in all cases. I gave Full Control for the Domain Admins on one of the Certificate Templates, but it's still not listed when I run this request.

I feel I need to find a comprehensive step by step document to start from the start.
tfindingAuthor Commented:
This has now been resolved after renewing the CA Certificate on the Certification Authority.

Further details here


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tfindingAuthor Commented:
These errors were resolved doing another task related to the Certification Authority (link supplied).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.