Claude_Cardinal
asked on
Windows 2008 CA certificate to expire with renew CA certificate already exist
I just created a new certificate for my tech for a website, and he just email me that my windows 2008 CA Root certificate will expire in two weeks. Even if the certificate for the website is valid for 2021for the website. For sure now the certificate that i have created for him will expire in two weeks because of the ROOT certificate expiring.
I have two Windows CA Root certificate already in use the same year. I got:
Certificate #0 started in 11-25-2014 to 11-25-2019 expires in two weeks
and Certificate #1.0 started in 11-25-2014 to 11-25-2024
It looks that certificate i did for my tech is referencing the certificate #0
How can I create a certificate that will be issue with Certificate#1 for my tech.
I try to renew the Root certificate by going to the certificate of my Windows server CA by doing:
1. mmc
2. install the snap in certificate
3. Go to personal --> certificates and right click on the Certificate that relates to certificate #0
4. All task -> advance orations -> renew the certificate with the same key
When I did that i got an error
i try to put the my CA server as the computer that have rights to enroll and it still did not work.
How should I go about this.
thank you for your help
I have two Windows CA Root certificate already in use the same year. I got:
Certificate #0 started in 11-25-2014 to 11-25-2019 expires in two weeks
and Certificate #1.0 started in 11-25-2014 to 11-25-2024
It looks that certificate i did for my tech is referencing the certificate #0
How can I create a certificate that will be issue with Certificate#1 for my tech.
I try to renew the Root certificate by going to the certificate of my Windows server CA by doing:
1. mmc
2. install the snap in certificate
3. Go to personal --> certificates and right click on the Certificate that relates to certificate #0
4. All task -> advance orations -> renew the certificate with the same key
When I did that i got an error
i try to put the my CA server as the computer that have rights to enroll and it still did not work.
How should I go about this.
thank you for your help
ASKER
Hello Arnold, sorry for not being clear enough.
When I issued the certificate for my tech for the website he saw that my Windows 2008 CA root certificate was expiring in to weeks to my surprise. So i went to check in the Windows CA interface mmc and saw two certificate that wore created the same day.
I got Certificate#0 expires in November 25 2019
and certificate #1 expires in November 25 2024
it looks the old sysadmin renew the root certificate a second time the same day.
The issue is when I issued the certificate for my tech for the webserver, the certificate is valid for 2021 but he sees that the root certificate will expire in two weeks.
My questions is why the issued certificate is using the certificate#0 instead of certificate#1.
second question is what is the best practice when renewing root Certificate reuse the key pair or renew it and what effect will it bring to my server and clients.
example if I renew the key pair would i need to send new certs for every server that as not yet expire for there certs.
For more clarification you can view this post:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b2df4d20-abab-44d1-8a89-386f581bb727/windows-2008-ca-certificate-to-expire-with-renew-ca-certificate-already-exist?forum=winserversecurity
When I issued the certificate for my tech for the website he saw that my Windows 2008 CA root certificate was expiring in to weeks to my surprise. So i went to check in the Windows CA interface mmc and saw two certificate that wore created the same day.
I got Certificate#0 expires in November 25 2019
and certificate #1 expires in November 25 2024
it looks the old sysadmin renew the root certificate a second time the same day.
The issue is when I issued the certificate for my tech for the webserver, the certificate is valid for 2021 but he sees that the root certificate will expire in two weeks.
My questions is why the issued certificate is using the certificate#0 instead of certificate#1.
second question is what is the best practice when renewing root Certificate reuse the key pair or renew it and what effect will it bring to my server and clients.
example if I renew the key pair would i need to send new certs for every server that as not yet expire for there certs.
For more clarification you can view this post:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/b2df4d20-abab-44d1-8a89-386f581bb727/windows-2008-ca-certificate-to-expire-with-renew-ca-certificate-already-exist?forum=winserversecurity
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The tech is using a linux server with apache. Like you aid its not part of the windows domain. I sent him the root certificate and it works now.
I did a test on a wsus server that we use and renew the certificate and i see the certificate path relates to the certificate #1 that expires for the 2024 and the certificate for my wsus server 2021.
Two things happen, first i did understand the way our Windows CA was setup but now i understand that old admin renew the certificate the same day that is why i have the certificate#0 and Certificate#1. The other is i forgot to mention that my tech was using a linux machine.
thx for your help. Really appreciate it.
I did a test on a wsus server that we use and renew the certificate and i see the certificate path relates to the certificate #1 that expires for the 2024 and the certificate for my wsus server 2021.
Two things happen, first i did understand the way our Windows CA was setup but now i understand that old admin renew the certificate the same day that is why i have the certificate#0 and Certificate#1. The other is i forgot to mention that my tech was using a linux machine.
thx for your help. Really appreciate it.
ASKER
thank you for everything.
When you renew the certificate did you use the same key or a new key?
you should go through the Certificate Authority interface.
Go to http://CAservername/Certsrv
You need to add the new public certificate to the GPO.
Usually, the new certificate should be issued with the new CA certificate and valid through 2024.
Recheck whether the new cert has propagated