Certificate Authority chain has expired (Event ID 58) - W2008 R2

tfinding used Ask the Experts™
I have a W2008 R2 member (and Exchange) server acting as a Certification Authority.

It currently has the following error;

Event ID : 58
Source : CertificationAuthority
A certificate in the chain for CA certificate 0 for %Server-Name%-CA has expired.  A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).

Right clicking the CA and Properties > General, we have;

  -  CA Certificates > Certificate #0 (expired)

Is it simply a case of;

  -  opening Certification Authority,
  -  right clicking the CA in the left pane and
  -  "All Tasks" > "Renew CA Certificate" ?

Any help would be appreciated.

We have many error messages as listed in this related question;


Thanks in advance
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Network Systems Specialist
Yes, it is exactly that, the task will create a new CA root certificate. Also, you will also have to renew any server certificiates manually or thruough auto-enrol to use the new CA root as they will expire too.


Thanks for your comment Peter.

Do you know if I need to generate a new signing key ? I assume not, unless there's a specific reason for doing so.

Peter HutchisonSenior Network Systems Specialist
I just go with the default options when generating a new CA certificate.


Thanks for confirming things Peter - I've pushed that through (and generated a new signing key along the way).

My only issue now is that 2 certificates (DirectoryEmailReplication & DomainControllerAuthication) on the Domain Controller have expired & I don't seem to be able to renew or request a new one.

I have the attached error message. Any ideas ?

Thanks again


The creation of the new CA Certificate has resolved the issues I was having with the Domain Controllers.

I didn't have to do anything on these, other than wait for the autoenroll process.

Now I have;
  -  Certificate enrollment for Local system is successfully authenticated by policy server
  -  Certificate enrollment for Local system successfully received a DirectoryEmailReplication certificate with request ID xx from certification authority
  -  Certificate enrollment for Local system successfully received a DomainControllerAuthentication certificate with request ID xx from certification authority

Two new Certificates now present themselves on the DCs.

Thanks again for your time in confirming things here.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial