locked
SubCA Certificate cannot be renewed RRS feed

  • Question

  • Dear Friends,

    I've got a quite urgent problem. Maybe you can help me...

     

    Here’s my problem:

    I need to renew a sub-ca cert. To do so I followed a huge amount of blogs and tutorials, for example:

    http://support.risualblogs.com/blog/2014/05/13/renew-issuingsubordinate-ca-certificate/

     

    But in every Tutorial the writers are able to choose an online CA or export the request by clicking Cancel in the following Step:

    My problem is, that this window isn’t showing up. When I choose “No” in the Window before where he asks me whether to create a new key or not and continue, he is just starting the services again and nothing has changed. In the Properties of the sub-ca is still one cert which will expire soon:

     

    When I try to renew it by using certutil, I get the following message:

    PS C:\Users\administrator.CLOUD4YOU> certutil -renewcert ReuseKeys -f
    CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023)
    CertUtil: The group or resource is not in the correct state to perform the requested operation.


    I’ve googled the error-message already, but none of the solutions applied for us.

     

    When I try the 3<sup>rd</sup> option by renewing the cert with the same key over mmc -> Certificates, I get the same error as this writer: https://social.technet.microsoft.com/forums/windowsserver/en-US/90c78256-6291-4e6d-8dd8-82280cc00e69/unable-to-renew-subca but in our deployment the template was already activated

     

    I really don’t know what to do next…  Do you have any idea?

     

    Thanks in advance!


    Carsten Brenner IT-Engineer at cloud4you GmbH (Germany)


    Tuesday, April 14, 2015 2:18 PM

Answers

  • Hi Brian,

    thanks for your further investigation in this problem.

    We were able to fix it by calling an old colleague of mine. He was kind of braver than me and tried a few other buttons. If anyone else is facing this Problem, here's our solution:

    1. In SubCA, right-click on servername, select all tasks -> install a certificate
    2. just click on "cancel" in the open-file-dialog
    3. Now suddenly - just like out of the nowhere - we got the missing dialog which i was looking for in the first post in pic 1...
    4. Now everything worked like intended, the new cert was enabled with a durability of 4 years. I guess this are the four years i have configured in my 2nd post by using those commands:
      certutil -setreg CA\ValidityPeriodUnits 4certutil -setreg CA\ValidityPeriod "Years"

    That's it, thank you all again!


    Carsten Brenner IT-Engineer at cloud4you GmbH (Germany)

    Friday, April 17, 2015 3:46 PM

All replies

  • Hi Carsten,

    Are you able to renew the certificate or just request other certificates through MMC?

    Seems like there’s something wrong with the Sub CA, are there any related error messages logged?

    Do you have a backup of the Sub CA?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 16, 2015 9:42 AM
  • Hi Amy,

    i tried it via MMC, but I got the following error: 

    Ok, the errormessage is simple and understandable: The validity-period of the SubCA-Cert would overlap the validity-period of the RootCA-Cert.

    So my next step was renewing the RootCA-Cert. This step was pretty easy, everything worked as intended. My Root-Cert had now the maximum validity-period.

    After this i tried it again. First by using the CA-MMC, then by using the Cert-MMC. Same error as always.

    My next step was to check the templates to get the period wich was needed by the SubCA-Cert. We were using for both, Root and Sub, the default Templates. Here comes the bad part: Both templates have configured a period of 5 years by default. So from my point of view I'm practically not able to renew the sub-ca-cert at any time as it will always overlap the Root-CA. This is just...

    After knowing this, i tried to figure out if i'm able to modify the default templates. To shorten this: I'm not able to do so. The default Templates are not modifiable. Dublicating wasn't an option, too. Once you created a cert based on a template you won't be able to renew it based on another template.

    With this knowledge I tried to find out if there's another option to renew a cert with a custom period of time. I found this thread: https://social.technet.microsoft.com/Forums/windowsserver/en-us/ce001d8f-c722-4429-83cb-328b92876292/how-to-change-root-certificate-keys-length-and-validity-period. At first i've applied the following commands:

    certutil -setreg CA\ValidityPeriodUnits 4
    certutil -setreg CA\ValidityPeriod "Years"

    With those commands i thought the SubCA-Cert will now be requested with only four years (rootCA is valid for five years). But this didn't work for me. So I've created the CAPolicy.inf-File on the RootCA by using the following Values:

    [certsrv_server]
    renewalkeylength=2048
    RenewalValidityPeriodUnits=10
    RenewalValidityPeriod=years

    Then I've renewed the root-CA-cert again. After checking the Cert-MMC on the RootCA i had something like hope in me. The RootCA-Cert is now valid for 10 years until 2025. So i tried to renew the cert on the SubCA again - but all I got was the same stupid error as always.

    I'm at my wit's end...

    The only might possible way to renew the cert is by renewing it over the CA-MMC by using a new key. Then i get the following error:

    I don't know what will happen if I click on "Yes". I always thought that when I try to renew a cert, he will add the cert and won't overwrite my (still working until 19th Apr) Cert.

    --- 

    To the other questions:
    - The eventlog is just firing when i try to renew it by using the cert-mmc. it's the same error i get in pic1
    - I've made a CA-Backup before I've started with all my tries, also we're backing up all domain controllers and ca's with a 3rd party backup-solution every 6 hours


    Carsten Brenner IT-Engineer at cloud4you GmbH (Germany)

    Thursday, April 16, 2015 2:05 PM
  • You cannot renew your SubCA because you allowed the previous subca certificate to expire.

    A CA renewal requires that the new certificate request be signed by the previous CA certificate. You cannot because the previous CA certificate is time invalid.

    What you need to do is create a new subordinate CA.

    In the future, subordinate CA certificates (and root CA certificates) should be renewed at half their validity period so you do not run into this issue.

    Brian

    Thursday, April 16, 2015 2:49 PM
  • Hi Brian,

    thanks for your reply! 

    I think I understood what you want to say, but my current cert is valid until sunday (Screenshot 2). So this couldn't be my problem, or am I wrong?

    Thank you again!


    Carsten Brenner IT-Engineer at cloud4you GmbH (Germany)

    Thursday, April 16, 2015 2:59 PM
  • Sorry, missed that one.

    - You do want to renew with a new key pair (prevents chaining confusion).

    - Ensure you are logged in as a member of the Enterprise Admins group when performing the renewal

    - Ensure that Enterprise Admins is included in the membership of the local Administrators group on the CA

    - You renewal period will be the the shortest period of:

    - CAPolicy.inf renewal settings

    - ValidityPeriod and ValidityPeriodUnits set on the root CA

    - Remaining lifetime of the root CA certificate

    The root CA cannot issue a certificate beyond its remaining validity period.

    The existing certificate and CRL will remain in force until they expire.

    Brian

    Thursday, April 16, 2015 4:31 PM
  • Hi Brian,

    thanks for your further investigation in this problem.

    We were able to fix it by calling an old colleague of mine. He was kind of braver than me and tried a few other buttons. If anyone else is facing this Problem, here's our solution:

    1. In SubCA, right-click on servername, select all tasks -> install a certificate
    2. just click on "cancel" in the open-file-dialog
    3. Now suddenly - just like out of the nowhere - we got the missing dialog which i was looking for in the first post in pic 1...
    4. Now everything worked like intended, the new cert was enabled with a durability of 4 years. I guess this are the four years i have configured in my 2nd post by using those commands:
      certutil -setreg CA\ValidityPeriodUnits 4certutil -setreg CA\ValidityPeriod "Years"

    That's it, thank you all again!


    Carsten Brenner IT-Engineer at cloud4you GmbH (Germany)

    Friday, April 17, 2015 3:46 PM
  • Hi,

    I am experiencing the same problem, whereby the "CA Certificate Request" dialogue box does not appear when I am following the same process as per original poster.

    http://support.risualblogs.com/blog/2014/05/13/renew-issuingsubordinate-ca-certificate/

    Steps to Renew if Root CA is offline

    • Log onto your Issuing CA and open the Certificate Authority MMC
    • Right click on your Issuing CA > All Tasks > Renew CA Certificate
    • Press Yes to Stop AD Certificate Services
    • Press No to Generate a new Public/Private Pair

    At this point, Certificate Services start again, the "CA Certificate Request" dialogue box does not appear at all.

    The request file location is c:\certs but no request file is generated.

    The suggested fix is to right-click SubCA | All-Tasks | Install a Cert....  I don't have "Install a Cert" as an option. Any suggestions?

    Tuesday, September 27, 2016 1:45 PM