2-Tier PKI (Offline Root CA) can't renew subordinate CA certificates
I'm migrating my 2-tier Microsoft PKI from SHA1 to SHA256 and am following this document:
https://blogs.technet.micr
I am/was already using KSP. I've already converted, renewed, and published my offline Root CAs certificate, with a new CRL. So really, I simply had to run the certutil -setreg part and renew my certs.
I converted my 2 subordinates to SHA256 for all new certs but I can't renew their certs (the second step 10). They are both 2012 server core. When I manage them from a remote machine, under all tasks where you would find the Renew Certificate option is only Install certificate. I select it and a progress bar goes by but there is no dialog. Then I tried the following command but received this output and am not finding very much helpful info:
certutil -renewCert ReuseKeys
CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023)
CertUtil: The group or resource is not in the correct state to perform the requested operation.
How do I get the new SHA256 certs for the subordinates? Can I simply use certutil to generate brand new requests, USB key them to my offline Root CA to sign them and then finish it like i did when I first created them or would that cause a problem since they're existing and not new?
https://blogs.technet.micr
I am/was already using KSP. I've already converted, renewed, and published my offline Root CAs certificate, with a new CRL. So really, I simply had to run the certutil -setreg part and renew my certs.
I converted my 2 subordinates to SHA256 for all new certs but I can't renew their certs (the second step 10). They are both 2012 server core. When I manage them from a remote machine, under all tasks where you would find the Renew Certificate option is only Install certificate. I select it and a progress bar goes by but there is no dialog. Then I tried the following command but received this output and am not finding very much helpful info:
certutil -renewCert ReuseKeys
CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023)
CertUtil: The group or resource is not in the correct state to perform the requested operation.
How do I get the new SHA256 certs for the subordinates? Can I simply use certutil to generate brand new requests, USB key them to my offline Root CA to sign them and then finish it like i did when I first created them or would that cause a problem since they're existing and not new?
David Johnson, CD
You can't do it online, so you have to do the create request, copy to usb, import, authorize request, copy to usb
ASKER
I understood that part but I couldn't get the file to generate. I found that adding the -f option to the certutil command took care of that for me. I'll see if I can finish from there now that I finally have the req file.
ASKER
I have it issued and obtained the cert file from the Offline Root but I'm having trouble figuring out how to complete the request on the subordinate itself. All references I find use the GUI right clicking -> All Tasks -> Install a certificate. However, when I do that it never prompts me to find the file. I also tried certreq -accept but that throws an error about not finding the object.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was the only steps that helped get passed the hurdles.