I'm migrating my 2-tier Microsoft PKI from SHA1 to SHA256 and am following this document:
I am/was already using KSP. I've already converted, renewed, and published my offline Root CAs certificate, with a new CRL. So really, I simply had to run the certutil -setreg part and renew my certs.
I converted my 2 subordinates to SHA256 for all new certs but I can't renew their certs (the second step 10). They are both 2012 server core. When I manage them from a remote machine, under all tasks where you would find the Renew Certificate option is only Install certificate. I select it and a progress bar goes by but there is no dialog. Then I tried the following command but received this output and am not finding very much helpful info:
certutil -renewCert ReuseKeys
CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023)
CertUtil: The group or resource is not in the correct state to perform the requested operation.
How do I get the new SHA256 certs for the subordinates? Can I simply use certutil to generate brand new requests, USB key them to my offline Root CA to sign them and then finish it like i did when I first created them or would that cause a problem since they're existing and not new?