We have an AD environment that a previous tech set up with PKI. the enterprise CA cert is going to expire soon and when trying to renew it we get an error that looks something like this:
The certificate template renewal period is longer than the certificate validity period. The template should be reconfigured or the CA certificate renewed.
Open in new window
All attempts to locate the root CA, which was taken offline, have been unsuccessful so we have a couple of main questions:
1) what happens when the cert expires and we haven't addressed this?
2) what steps can be taken to deal with this in the event we can't find the root CA?
Thanks in advance!
1) If a root CA expires then all derived certificates will expire... all servers, etc. etc. will distrust the master certificate. (In AD that probably means the Domain going down).
2) All certificates are created from a template (which tells a lot of field values, so you don;t have to type them, or can accept the default) , at least it works like that in openssl, so why not in later built systems.
Your error message tells you the template has a date in it which is well before the end of validity ie. creating a certificate that would be expired immediately so such a certificate would make no sense. Check the templates for issues around the dat.
BTW. For a CA certificates it is quite normal to have a 10 year life span., also use the same key as was used before then all current certificates will stay valid. (if you can also the serial number.. in effect you want the same certificate with new end dates. (Another thing can be the hash algorithm SHA-1 was used a lot, and is now INVALID. (yesterday a collision attack was published:
"SHA-1 is a shambles". it has been announced deprecated for a while now)