Renew the CA Root Certificate

In one of my customer's environment, the CA root certificate is about to expire in couple months.  By saying CA root certificate, I mean if you right click the "Properties" in the Certification Authority mmc snap-in, the CA certificate that shown as "Certificate #0" (apology, please forgive my limited knowledge on certificate service).

The environment is running in Windows 2008R2 AD.

I read this document regarding auto renewing of certificate
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment


I want to figure out if this root certificate would renew itself upon expiring. So I setup a lab and test the group policies mentioned in the previous link.
However, I found that the CA root certificate didn't renew itself in my test environment.

So, my questions:
- How to make the CA root certificate renew itself
- In my test lab, the CA root certificate expired, but it didn't seem to have any impact on client machine login, exchange service etc ....  so, in fact, apart from issuing certificates within the domain, what else does the CA root certificate do?

TIA!!
Jimmy VadAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
Auto enrollment is different feature used to renew certificates issued by root ca
But with this feature u can't renew ca root cert itself
U need to manually renew it
Also when root cert is about to expire, it means whatever certificates u already issued with this ca, those will also expire
Because ca cannot issue certificates having expiry date beyond it's own cert (root cert) expiry date
So you need to check what all certificates it issued and need to renew those as well
If autoenrollment is configured for those certs, they will get renew automatically
Any certificates with out autoenrollment must be renewed manually
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jimmy VadAuthor Commented:
Thanks for your info.  So just to make sure I understand your answer correctly -
-you mean the CA root cert isn't a cert that will renew itself. so the only way to do it is to renew it manually in the Certificate Authority mma snap-in.  Am I right?
-for all other certificates issued by this CA, they will be automatically renewed as long as I have the group policies configured.

Thanks!
JV
0
MaheshArchitectCommented:
that's rights
certificates issued without gpos or with manual request must be renewed explicitly with manual intervention
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.