Automatic certificate enrollment for local system failed (0x800b0101)

tfinding used Ask the Experts™

One of clients has a very simple domain, with 2 x W2008 R2 Domain Controllers and an Exchange Server 2010 server.

For some reason the Exchange server is the Certification Authority and 2 of the certificates expired in December 2015.

The Domain Controller now gets;

  -  Event ID: 64 - Certificate for local system with Thumbprint xxxxxxxxxx  is about to expire or already expired
  -  Event ID: 6 - Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
  -  Event ID: 13 - Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from "ServerName01-CA" (A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)).

and the same Event ID: 13 for a "DirectoryEmailReplication" certificate.

It seems relatively simple, that the certs have expired and, as we can't renew, we have to create new ones, but I'm unsure how to go about this.

Any pointers would be appreciated.

Thanks in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
What are the certs being used for?  If they're being used for Exchange, the easiest way to renew them would be to do it on the Exchange server.  You can use Powershell to do this. Here's an article that runs through the steps:


Hi Hypercat

Many thanks for your comment. They are not Exchange but Domain certificates;

  -  Domain Controller Authentication
  -  Directory Email Replication

The reasoning for the mention of Exchange is because the CA is installed on the Exchange Server (not sure why).

The errors are on the Domain Controller.
Have you rebooted the server recently?  If not, try that first, since it may renew automatically when you restart.

Otherwise, you should be able to renew it using the Certificates snapin. I think you can do this from either server.  Here's a basic article from TechNet with links for additional info:
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Hi - I think the problem lies with the fact that the 2 certificates have expired and they weren't renewed in time.

The certificates reside on the Domain Controller & not the CA. If I try to renew it on the DC, I get;

  -  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid CA configured to issue certificates based on this template cannot be located or the CA does not support this operation, or the CA is not trusted"

If I try to request a new certificate (under Personal > Certificates) on the CA, I also get;

  -  "You cannot request a certificate at this time because no certificate types are available. If you need a certificate please contact your administrator."

I'm logged in as the Domain Admin in all cases. I gave Full Control for the Domain Admins on one of the Certificate Templates, but it's still not listed when I run this request.

I feel I need to find a comprehensive step by step document to start from the start.
This has now been resolved after renewing the CA Certificate on the Certification Authority.

Further details here



These errors were resolved doing another task related to the Certification Authority (link supplied).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial