asked on
Replacing CA Servers with expired Certificate
We are looking to replace/upgrade our existing Windows server 2008 R2 Certificate Authority Servers. There is the root server which is non domain joined and a subca which is domain joined. The private key expired about 5 years ago and was never renewed. We are building new 2019 CA servers. Do I try to renew then move the old expired server over to the new servers or just start from scratch and create a new private key.
Windows Server 2008* Enterprise Certificate Authority* certificate services* active directory certificate service* Public Key Infrastructure (PKI)
Last Comment
MNESupport
You will have a lot of advantages to integrate the new authority server in Active Directory.
- No need to modify the GPO to deploy the root certificate
- Possibility to deploy automatically certificates to computers and users.
- No need to modify the GPO to deploy the root certificate
- Possibility to deploy automatically certificates to computers and users.
ASKER
Hi,
I ended up decommissioning the old servers then building a new two tier CA server. All seemed to go well initially as it started deploying certs to machines then it stopped. Not it wont autoenroll nor can I request a new certificate. I get an error when trying stating the rpc_s_server_unavailable. On my DC's im seeing Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable. Im also seeing error "No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this".
One of our applications that uses ldap has stopped working. I may engage Microsoft but I wanted to see if anyone has any thoughts.
.
I ended up decommissioning the old servers then building a new two tier CA server. All seemed to go well initially as it started deploying certs to machines then it stopped. Not it wont autoenroll nor can I request a new certificate. I get an error when trying stating the rpc_s_server_unavailable. On my DC's im seeing Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable. Im also seeing error "No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this".
One of our applications that uses ldap has stopped working. I may engage Microsoft but I wanted to see if anyone has any thoughts.
.
RPC
Check network classification in network and share settings.
Presumably a reboot did not fix the issue.
To which CA are the requests being sent, the issuing CA or to the root CA?
Check network classification in network and share settings.
Presumably a reboot did not fix the issue.
To which CA are the requests being sent, the issuing CA or to the root CA?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Since the 2008 expired 5 years ago, there are no current valid certificates in circulation.
There are no certificates that need to be revoked/etc.
You can as you have start from scratch and once you complete the new CA, you can add register it on the AD while removing the old record/ You can then update the certificates on the issuing CA's by having their Certs signed by the new CA (potentially after you update the cipher from SHA to SHA256 if not done already.
You would also need to publish the New CA's Certficate as a trusted authority in the AD GPO ....
https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects
https://social.technet.microsoft.com/Forums/windowsserver/en-US/feaca926-d364-4bb5-80bf-aed01159e634/how-to-deleteremove-a-root-ca-that-got-published-into-ad-via-certutil-dspublish-myrootcacrt