locked
Renew subordinate CA certificate RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    I want to renew the CA Certificate of my sub CA. When I right click the issuing CA and chose "renew ca certificate" I chose not to change the private key. After this, the CA services are restarting but I'm not able to select, whether I want to request online or offline.

    Any ideas?

    Tuesday, November 10, 2015 12:25 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hey everyone,

    I was able to fix it. After trying to renew the CA cert with "certutil -renewcert reusekeys", I got an error telling me, that the hash alorithm is invalid.

    So I went back to the GUI and renewed the certificate using a new key pair. This worked fine.

    Thanks for support.

    Wednesday, November 11, 2015 8:40 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    What OS is the subordinate and the root CA running on? (2003, 2008, 2012)

    Did you verify that the sub CA can access the root CA before attempting to get a new cert?

    Below I have added some links that walk you thru different ways to renew the certificate, Have you tried all these methods and still no success?

    http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx

    https://technet.microsoft.com/en-us/library/cc962077.aspx

    https://technet.microsoft.com/en-us/library/cc776691%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

     
    Tuesday, November 10, 2015 2:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Jedi.

    The root CA is running on Server 2003 and the sub CA on 2008. In which way should I check the access? When I refer to the second video (renewal of the sub CA certificate), the dialog box at 6:07 doesn't appear.

    Tuesday, November 10, 2015 2:35 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    That box pops up because his root CA was not online. Watch the video in its entirety also read the TechNet links, remember that since your root CA is 2003 you will have to renew the certificate in a 2003 way, link is below.

    https://technet.microsoft.com/en-us/library/cc776691%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Tuesday, November 10, 2015 2:47 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jedi,

    according to the link, I should be able to decide, whether to directly send the request to the parent CA (if parent CA is online), or to save the request in a file (if parent CA is offline).

    This selection is described in step 6 (after selecting, if a new key should be generated or not). But again: this dialog box doesn't appear. I also can't save the request file.

    After doing step 5, the process is finished and there is no pending request nor a request file.


    • Edited by ihka Tuesday, November 10, 2015 3:10 PM
    Tuesday, November 10, 2015 3:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Is the root online or offline? On the root CA is that still valid (cert wise)? Is the Sub CA in an AD environment? If so is it a member of the "cert publishers" group? Is it also a member of the "pre-windows 2000 compatible access" group? In PKI view do you see the Root CA certificate?
    Tuesday, November 10, 2015 4:41 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I have just completed the renewal of the root and issuing CA certificates and used the following article. There are a couple of youtube videos towards the bottom of it.

    http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx

    This resource was invaluable for our renewal and I had no problems whatsoever.

    Hope it helps.

    ac

    Tuesday, November 10, 2015 8:22 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hey everyone,

    I was able to fix it. After trying to renew the CA cert with "certutil -renewcert reusekeys", I got an error telling me, that the hash alorithm is invalid.

    So I went back to the GUI and renewed the certificate using a new key pair. This worked fine.

    Thanks for support.

    Wednesday, November 11, 2015 8:40 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thank you for sharing your solutions and experience here. It will be very beneficial for other community members who have similar questions.
     

    Regards,

    Ethan Hua

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, November 13, 2015 6:26 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Please mark this as closed. I was not able to renew the cert from our Enterprise CA as we found out that the cert was created using a server that was no longer in service. So we ordered a cert from RapidSSL.

    Thank you everyone for your help

    Friday, August 23, 2019 8:42 PM