AD Enterprise CA certificate expiring and unable to renew

Alexander Insley
Alexander Insley used Ask the Experts™
on
We have an AD environment that a previous tech set up with PKI. the enterprise CA cert is going to expire soon and when trying to renew it we get an error that looks something like this:

The certificate template renewal period is longer than the certificate validity period. The template should be reconfigured or the CA certificate renewed. 

Open in new window


All attempts to locate the root CA, which was taken offline, have been unsuccessful so we have a couple of main questions:

1) what happens when the cert expires and we haven't addressed this?
2) what steps can be taken to deal with this in the event we can't find the root CA?

Thanks in advance!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
first i have no experience with windows systems.....

1) If a root CA expires then all derived certificates will expire... all servers, etc. etc. will distrust the master certificate. (In AD that probably means the Domain going down).

2) All certificates are created from a template (which tells a lot of field values, so you don;t have to type them, or can accept the default) , at least it works like that in openssl, so why not in later built systems.
Your error message tells you the template has a date in it which is well before the end of validity ie. creating a certificate that would be expired immediately so such a certificate would make no sense. Check the templates for issues around the dat.

BTW. For a CA certificates it is quite normal to have a 10 year life span., also use the same key as was used before then all current certificates will stay valid. (if you can also the serial number.. in effect you want the same certificate with new end dates.  (Another thing can be the hash algorithm SHA-1 was used a lot, and is now INVALID. (yesterday a collision attack was published:
"SHA-1 is a shambles". it has been announced deprecated for a while now)
Peter HutchisonSenior Network Systems Specialist

Commented:
If you view the CA root certificate, it will display the name of the server in the list of CRL (certificate revocation list). See Details tab of the CA certificate properties and look for CRL Distribution  Points entry:
URL=ldap:///CN=CAName,CN=servername,CN=CDP , ...

Logon to the server, it can be a member server or even a DC with the Active Directory Certificate Services (ADCS) role installed.

Renew CA Certificate:
https://www.youtube.com/watch?v=Q-1Y1ZI9R6k 

If the CA server is still using SHA1 certs then it will need updating to use SHA256:
https://support.symantec.com/us/en/article.tech246255.html
MaheshArchitect
Distinguished Expert 2018

Commented:
If you can't find Root Ca, then your subordinate CA will expire and you need to build new AD integrated CA

If you are sure that you won't get offline root ca stress, build new enterprise CA now and start enrolling new certs from now to mitigate impact
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Alexander InsleySenior Network & Systems Tech

Author

Commented:
So when you say build new enterprise CA, do you mean:

1) create new root CA
2) create new subordinate CA(s)
3) issue new certs

?
Alexander InsleySenior Network & Systems Tech

Author

Commented:
or can you create a new root authority and then issue new certs to your existing subordinates?
MaheshArchitect
Distinguished Expert 2018

Commented:
You can either create single enterprise root CA (AD Integrated CA)
OR
You can create new standalone offline root CA and issue new subordinate cert to current sub CA and it will further issue to clients (I have not tested this - but test this it should work)
OR
U can setup new standalone offline root CA and new Sub CA
Alexander InsleySenior Network & Systems Tech

Author

Commented:
we are considering all 3 options and we are thinking about trying the new standalone offline root CA first. I have questions:

- do you think this has the greatest chance for success? Or do you think the first option (single enterprise root CA, AD Integrated CA) would be better?
- once we build the root CA (found these instructions: https://stealthpuppy.com/deploy-enterprise-root-certificate-authority/), how do we make the existing enterprise CA start using the new cert from the new root CA?
- do we have to create the new root CA with same exact system name as the old one or can we use a new one?
Architect
Distinguished Expert 2018
AD integrated enterprise single root CA is always preferable as compare to offline CA from maintenance and simplicity stand point, however you need to work / create all custom templates which you have on current Sub CA

If you build new standalone Root CA with same hostname and CA name (Not mandatory but for convenience), then install root certificate under AD and generate new CSR from sub CA and submit it to this Root Ca

https://social.technet.microsoft.com/Forums/windowsserver/en-US/daa16e28-4bb2-4d18-b0b7-54dcc2178c6c/correct-way-to-install-new-cert-for-subordinate-ca?forum=winserversecurity
OR
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWOCA0
MaheshArchitect
Distinguished Expert 2018
If you create new standalone offline Root Ca, then you also need to work upon CDP and AIA points which are very crucial

U may refer below article for same
https://www.experts-exchange.com/articles/32336/CA-Validity-Period-Extension-and-CA-Certificate-Renewal-Process.html
Alexander InsleySenior Network & Systems Tech

Author

Commented:
I also believe the current offline root CA (windows server 2008 R2) is using SHA-1; do we need to preserve this to avoid issues?
Alexander InsleySenior Network & Systems Tech

Author

Commented:
suppose we go with the AD integrated option (which you seem to recommend over new offline root CA). How do we go about getting resources on the network to start using that certificate server (once built) instead of the existing one with the certificate that is going to expire? Does it just automatically take over once it presents itself on the network?
MaheshArchitect
Distinguished Expert 2018
AD integrated CA will be automatically published to all clients and servers and you just need to create / choose appropriate certificate templates and may be you can use template autoenrollment feature

SHA1 should not be the problem for internal root CA certificate, however you even can build new offline root CA with SHA 256

You need to publish new offline root ca certificate to AD
refer article in last comment
MaheshArchitect
Distinguished Expert 2018
Better You deploy new SHA 256 Offline root CA, then it will issue sub CA cert with SHA 256 only

If you build with SHA1, then you need to make little config and ensure that cert it issues will be with SHA 256
Alexander InsleySenior Network & Systems Tech

Author

Commented:
how would one go about creating/choosing certificate templates? would I need to log into the existing sub-ordinate and review the templates currently in use?

also, if we proceed with the new offline root CA, let me see if I have a handle on the steps required:

1) create new server (workgroup) and install certificate services (using this article: https://stealthpuppy.com/deploy-enterprise-root-certificate-authority/)
2) update CRL and AIA info with FQDN of new server
3) publish root CA certificate to AD
4) generate CSR on existing enterprise CA, create cert on root CA, then install on existing enterprise CA
MaheshArchitect
Distinguished Expert 2018
Yes, you are right on above plan.
Alexander InsleySenior Network & Systems Tech

Author

Commented:
thank you Mahesh! at the moment, I am most anxious about the CRL/AIA portion so we'll see how that goes and I will update the thread.
MaheshArchitect
Distinguished Expert 2018
Article posted earlier have clear info on same
Alexander InsleySenior Network & Systems Tech

Author

Commented:
another question: do you have a good article on  how to publish offline root CA certificate to AD?
nociSoftware Engineer
Distinguished Expert 2018
SHA1 is really obsolete for Certificates and stuff that is stored long times.
(A collision attack to be able to create duplicates only takes up to USD 10K, so if someone thinks they can take over your systems en get more from you that the 10K investment a certificate with SHA1 will not protect you).

So SHA256 or better hashes are needed.  For datacom SHA1 can still be used as there one needs a collision for each packet. That is too expensive still.
Alexander InsleySenior Network & Systems Tech

Author

Commented:
Mahesh,

With regards to the CRL/CDP/AIA portion, I find this to be quite confusing and am worried about doing this part properly.

- Do we absolutely have to do this part?
- If so, do you have specific steps I can follow? If in an article (perhaps this one: https://www.experts-exchange.com/articles/32336/CA-Validity-Period-Extension-and-CA-Certificate-Renewal-Process.html), can you outline exactly which section/steps we need to follow?
- with regards to publishing root CA to AD, I found an article (see https://michaelpoore.com/2016/03/howto-publishing-offline-root-ca-certs-and-crls/) that states you need to copy over CER and CRL files; is that right?
MaheshArchitect
Distinguished Expert 2018
Step 1.3 – Configure AIA and CDP Extensions

Step 1.4 – Publish Root CA Certificate and CRL to Active Directory

Above two sections and sub sections provide you all information to publish Root cert and CRL to AD for standalone root CA

U are right that you need to copy CRL and certificate file manually
Alexander InsleySenior Network & Systems Tech

Author

Commented:
I also have this article that walks through some of the CRL/AIA steps:

https://stealthpuppy.com/deploy-enterprise-root-certificate-authority/

Do these steps cover what needs to be done as well?
MaheshArchitect
Distinguished Expert 2018
Both articles have same steps but your article missing steps for AIA part, it only talks about CDP/CRL
Alexander InsleySenior Network & Systems Tech

Author

Commented:
Mahesh,

We are working through the process and I am stuck on this part in the instructions (section 1.3.2.2) as I don't know if we need the delta cRL allowed part. We have already added the URL for the CDP; do we need to add another using some kind of different syntax?
Alexander InsleySenior Network & Systems Tech

Author

Commented:
so I believe we have set up a new Root CA and now need to generate new sub ca certificate for existing sub CA. How do I do this? Help!
Alexander InsleySenior Network & Systems Tech

Author

Commented:
or can I just renew and submit request to new Root CA?
nociSoftware Engineer
Distinguished Expert 2018
If your new root CA is in the trusted store of ALL systems i don't see why it couldn't.. from a certificate point of view.
One just needs a valid chain to a trust anchor (the CA certificate being trusted).
(I have no experience on windows systems though).
MaheshArchitect
Distinguished Expert 2018
Delta CRL is only exists with AD integrated CA servers and hence that step is needed on Sub CA server

To generate CSR, use steps under heading "Option 1 – When the issuer is a Standalone Root CA" in same article

To submit CSR to root CA, open RootCA url on sub ca machine and supply it, then approve it on root ca server and download certificate on sub ca server, for that use palo alto article mentioned in 1st comment
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWOCA0
Alexander InsleySenior Network & Systems Tech

Author

Commented:
I believe we managed to get the SubCA certificate renewed successfully (or issued a new cert) so that is working. What we are running into now is issues with SCCM. We imported the new Root CA certificate in site configuration but several functions (e.g., pushing apps, updates) are failing. Any insight as to why this might be?
MaheshArchitect
Distinguished Expert 2018
I don't see how SCCM needs certificate for pushing updates etc, it must be different issue
Alexander InsleySenior Network & Systems Tech

Author

Commented:
thanks everyone!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial