Avatar of MNESupport
 asked on

Replacing CA Servers with expired Certificate

We are looking to replace/upgrade our existing Windows server 2008 R2 Certificate Authority Servers. There is the root server which is non domain joined and a subca which is domain joined.  The private key expired about 5 years ago and was never renewed.  We are building new 2019 CA servers. Do I try to renew then move the old expired server over to the new servers or just start from scratch and create a new private key.  

Windows Server 2008* Enterprise Certificate Authority* certificate services* active directory certificate service* Public Key Infrastructure (PKI)

Avatar of undefined
Last Comment

8/22/2022 - Mon

You have to answer the question yourself.
Since the 2008 expired 5 years ago, there are no current valid certificates in circulation.
There are no certificates that need to be revoked/etc.

You can as you have start from scratch and once you complete the new CA, you can add register it on the AD while removing the old record/ You can then update the certificates on the issuing CA's by having their Certs signed by the new CA (potentially after you update the cipher from SHA to SHA256 if not done already.

You would also need to publish the New CA's Certficate as a trusted authority in the AD GPO ....



You will have a lot of advantages to integrate the new authority server in Active Directory.

- No need to modify the GPO to deploy the root certificate

- Possibility to deploy automatically certificates to computers and users.

I ended up decommissioning the old servers then building  a new two tier CA server. All seemed to go well initially as it started deploying certs to machines then it stopped. Not it wont autoenroll nor can I request a new certificate. I get an error when trying stating the rpc_s_server_unavailable. On my DC's im seeing Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.  Im also seeing error "No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this".  
One of our applications that uses ldap has stopped working. I may engage Microsoft but I wanted to see if anyone has any thoughts.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

Check network classification in network and share settings.

Presumably a reboot did not fix the issue.

To which CA are the requests being sent, the issuing CA or to the root CA?

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.