Renew the CA Root Certificate

In one of my customer's environment, the CA root certificate is about to expire in couple months.  By saying CA root certificate, I mean if you right click the "Properties" in the Certification Authority mmc snap-in, the CA certificate that shown as "Certificate #0" (apology, please forgive my limited knowledge on certificate service).

The environment is running in Windows 2008R2 AD.

I read this document regarding auto renewing of certificate
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment


I want to figure out if this root certificate would renew itself upon expiring. So I setup a lab and test the group policies mentioned in the previous link.
However, I found that the CA root certificate didn't renew itself in my test environment.

So, my questions:
- How to make the CA root certificate renew itself
- In my test lab, the CA root certificate expired, but it didn't seem to have any impact on client machine login, exchange service etc ....  so, in fact, apart from issuing certificates within the domain, what else does the CA root certificate do?

TIA!!
Jimmy VadAsked:
Who is Participating?
 
MaheshArchitectCommented:
Auto enrollment is different feature used to renew certificates issued by root ca
But with this feature u can't renew ca root cert itself
U need to manually renew it
Also when root cert is about to expire, it means whatever certificates u already issued with this ca, those will also expire
Because ca cannot issue certificates having expiry date beyond it's own cert (root cert) expiry date
So you need to check what all certificates it issued and need to renew those as well
If autoenrollment is configured for those certs, they will get renew automatically
Any certificates with out autoenrollment must be renewed manually
1
 
Jimmy VadAuthor Commented:
Thanks for your info.  So just to make sure I understand your answer correctly -
-you mean the CA root cert isn't a cert that will renew itself. so the only way to do it is to renew it manually in the Certificate Authority mma snap-in.  Am I right?
-for all other certificates issued by this CA, they will be automatically renewed as long as I have the group policies configured.

Thanks!
JV
0
 
MaheshArchitectCommented:
that's rights
certificates issued without gpos or with manual request must be renewed explicitly with manual intervention
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.