Solved

2-Tier PKI (Offline Root CA) can't renew subordinate CA certificates

Posted on 2016-10-19
5
142 Views
Last Modified: 2016-10-24
I'm migrating my 2-tier Microsoft PKI from SHA1 to SHA256 and am following this document:

https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/

I am/was already using KSP. I've already converted, renewed, and published my offline Root CAs certificate, with a new CRL. So really, I simply had to run the certutil -setreg part and renew my certs.

I converted my 2 subordinates to SHA256 for all new certs but I can't renew their certs (the second step 10). They are both 2012 server core. When I manage them from a remote machine, under all tasks where you would find the Renew Certificate option is only Install certificate. I select it and a progress bar goes by but there is no dialog. Then I tried the following command but received this output and am not finding very much helpful info:

certutil -renewCert ReuseKeys
CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023)
CertUtil: The group or resource is not in the correct state to perform the requested operation.


How do I get the new SHA256 certs for the subordinates? Can I simply use certutil to generate brand new requests, USB key them to my offline Root CA to sign them and then finish it like i did when I first created them or would that cause a problem since they're existing and not new?
0
Comment
Question by:DaveQuance
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41849663
You can't do it online, so you have to do the create request, copy to usb, import, authorize request, copy to usb
0
 

Author Comment

by:DaveQuance
ID: 41851079
I understood that part but I couldn't get the file to generate. I found that adding the -f option to the certutil command took care of that for me. I'll see if I can finish from there now that I finally have the req file.
0
 

Author Comment

by:DaveQuance
ID: 41851161
I have it issued and obtained the cert file from the Offline Root but I'm having trouble figuring out how to complete the request on the subordinate itself. All references I find use the GUI right clicking -> All Tasks -> Install a certificate. However, when I do that it never prompts me to find the file. I also tried certreq -accept but that throws an error about not finding the object.
0
 

Accepted Solution

by:
DaveQuance earned 0 total points
ID: 41851180
I'm fine now, the last comment was me just overcomplicating it seriously.

If you run into my issue, use the -f option on the certutil -renewcert. If you use Reusekeys put the -f in-between -renewcert and ReuseKeys.

This will get you  your req file. Go to your offline root with it, submit a new request, use the request file, go to pending certificates, issue it, then go to issued certificates, double click it, go to the details tab and Copy to File. Take your cer file and run certutil -installcert <cerFile>. A restart of certificate services will be required before it is used.
0
 

Author Closing Comment

by:DaveQuance
ID: 41856727
It was the only steps that helped get passed the hurdles.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question