philjans
asked on
CERTIFICATE SERVER: All certicates came to expired: how to fix that?
Hi,
New admin at this cie and we have a Windows 2008 with the server Role Active Directory Certificate Services and all certiciates have expired on the 16th...
Never use that Role so how can fix that?
Here a printscreen :
Probably related: I see lots of those kind of error for almost all computers:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 1/18/2021 7:47:52 AM
Event ID: 22
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: RIPCA01.xxx.com
Description:
Active Directory Certificate Services could not process request 37381 due to an error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495). The request was for xxx\DANIELM-LT2$. Additional information: Error Parsing Request
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
<EventID Qualifiers="49754">22</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-01-18T12:47:52.000000000Z" />
<EventRecordID>71381</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>RIPCA01.xxx.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_PROCESS_REQUEST_FAILED_WITH_INFO">
<Data Name="RequestId">37381</Data>
<Data Name="ErrorCode">A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)</Data>
<Data Name="SubjectName">xxx\DANIELM-LT2$</Data>
<Data Name="AdditionalInformation">Error Parsing Request</Data>
</EventData>
</Event>
thanks!
New admin at this cie and we have a Windows 2008 with the server Role Active Directory Certificate Services and all certiciates have expired on the 16th...
Never use that Role so how can fix that?
Here a printscreen :
Probably related: I see lots of those kind of error for almost all computers:
Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 1/18/2021 7:47:52 AM
Event ID: 22
Task Category: None
Level: Error
Keywords: Classic
User: SYSTEM
Computer: RIPCA01.xxx.com
Description:
Active Directory Certificate Services could not process request 37381 due to an error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495). The request was for xxx\DANIELM-LT2$. Additional information: Error Parsing Request
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificationAuthority" Guid="{6A71D062-9AFE-4F35-AD08-52134F85DFB9}" EventSourceName="CertSvc" />
<EventID Qualifiers="49754">22</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-01-18T12:47:52.000000000Z" />
<EventRecordID>71381</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>RIPCA01.xxx.com</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="MSG_E_PROCESS_REQUEST_FAILED_WITH_INFO">
<Data Name="RequestId">37381</Data>
<Data Name="ErrorCode">A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)</Data>
<Data Name="SubjectName">xxx\DANIELM-LT2$</Data>
<Data Name="AdditionalInformation">Error Parsing Request</Data>
</EventData>
</Event>
thanks!
This article https://www.experts-exchange.com/articles/32336/CA-Validity-Period-Extension-and-CA-Certificate-Renewal-Process.html
should help you fix that...
should help you fix that...
ASKER
Scott Silva that's an excellent doc to learn everything there is to know about this topic. I have started reading it.
But before I become expert in it, it will take time so if you have any idea of quick checkup /fix: let me know
But before I become expert in it, it will take time so if you have any idea of quick checkup /fix: let me know
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The gui renew procedure wasn't working so I found this which worked:
Install the Fabrikam Issuing CA Certificate on CA02
To install the certificate and start the Certification Authority service on CA02:
Now it is working. thanks for the help!
Submit the Request and Issue Fabrikam Issuing CA Certificate
To submit the certificate request and issue the requested certificate:- Ensure that you are logged on to CA01 as CA01\Administrator. Place the removable media with the certificate request into CA01.
- On CA01, open an administrative command prompt. Then, submit the request using the following command (assuming that A:\ is your removable media drive letter):
- certreq -submit "A:\CA02.fabrikam.com_Fabrikam Issuing CA.req"
- Note: Pay attention to the RequestID number that is displayed after you submit the request. You will use this number when retrieving the certificate.
- In the Certification Authority List dialog box, ensure that Fabrikam Root CA is selected and then click OK.
- Open the Certification Authority console. To do so, click Start, click Administrative Tools, click Certification Authority.
- In the certsrv [Certification Authority (Local)] dialog box, in the console tree, expand Fabrikam Root CA.
- Click Pending Requests. In the details pane, right-click the request you just submitted, click All Tasks, and then click Issue.
- Return to the administrative command prompt to accept the issued certificate by running the following command. Ensure that you substitute the appropriate drive letter of your removable media for A: as well as the correct RequestID for 2:
- certreq -retrieve 2 "A:\CA02.fabrikam.com_Fabrikam Issuing CA.crt"
- In the Certification Authority List dialog box, ensure that Fabrikam Root CA is selected and then click OK.
Install the Fabrikam Issuing CA Certificate on CA02
To install the certificate and start the Certification Authority service on CA02:
- Ensure that you are logged on to CA02.fabrikam.com as Fabrikam\Administrator. Place the removable media with the issued certificate for CA02.fabrikam.com into CA02.
- Open the Certification Authority console.
- In the Certification Authority console tree, right-click Fabrikam Issuing CA, and then click Install CA Certificate.
- In the Select file to complete CA installation, navigate to your removable media. Ensure that you are displaying All Files (*.*) and click the CA02.fabrikam.com_Fabrikam Issuing CA certificate. Click Open.
- In the console tree, right-click Fabrikam Issuing CA, click All Tasks, and then click Start Service.
- In the console tree, expand Fabrikam Issuing CA and then click Certificate Templates. Notice there are no certificates shown in the details pane. This is because the CAPolicy.inf specified not to install the default templates in the line LoadDefaultTemplates=0.
Now it is working. thanks for the help!
ASKER
Just to let you know:
The DeltaCRL Location 1 do get auto-renew. I read about that and I also experienced it on my server.
And I wasn't sure for CDP Locaiton 1 under the Issuing-CA01 but, it too, auto-renew. It was expiring on jan 26th and now the expiration date is feb-02 so something makes it auto-renew.
So my Ca for Issuing-CA01 is expiring, and really expiring , on jan 18 2023 so I put a reminder for that one.
The DeltaCRL Location 1 do get auto-renew. I read about that and I also experienced it on my server.
And I wasn't sure for CDP Locaiton 1 under the Issuing-CA01 but, it too, auto-renew. It was expiring on jan 26th and now the expiration date is feb-02 so something makes it auto-renew.
So my Ca for Issuing-CA01 is expiring, and really expiring , on jan 18 2023 so I put a reminder for that one.
ASKER