none
Renew certificate issued by local Certificate Authority - Closed RRS feed

  • Question

  • Hi,

    We have local Certificate Authority server Windows 2012 R2. There is a certificate that was issued by the CA and is expiring on August 23, 2019. How can we renew the certificate?

    Thanks

    • Edited by jimjamjimbo Monday, September 9, 2019 2:35 PM closed
    Tuesday, August 20, 2019 6:47 PM

All replies

  • you can safely use the same procedure you used to enroll previous certificate.

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Tuesday, August 20, 2019 7:50 PM
  • Refer this,

    https://www.experts-exchange.com/articles/32336/CA-Validity-Period-Extension-and-CA-Certificate-Renewal-Process.html

    Wednesday, August 21, 2019 1:56 AM
  • Hello,
    Thank you for posting in our TechNet forum.

    We can try the following two methods.


    Method 1

    We can renew the certificate with command manually.

    If it is user certificate. We need to logon the client with the corresponding domain user account and ensure the certificate is in the Personal Store as below:

    Type certmgr.msc in Search and click Enter.
    Ensure this certificate is in Certificates - Current User->Personal->Certificates container.



    Then we can try the following command:
    certreq -Enroll -cert certificateSerialNumber -user Renew 


    If it is machine certificate. We need to logon the client with the domain Administrator account and ensure the certificate is in the Personal Store as below:

    Type certlm.msc in Search and click Enter.
    Ensure this certificate is in Certificates - Local Computer ->Personal->Certificates container.



    Then we can try the following command:
    certreq -Enroll -cert certificateSerialNumber -machine Renew 

    For example:
    certreq -Enroll -cert 6500000005203d06fe5c389b14000000000005 -machine Renew  



    Method 2

    If our certificate is issued using certificate template by the CA. We can use GPO to configure certificate auto enrollment.

    For user certificate

    First we should ensure the users have the Read, Enroll and Autoenroll permission on the corresponding user certificate template.



    Second, we need to enable the following group policy setting:

    User Configuration > Policies > Windows Settings > Security Settings >Public Key Policies>Certificate Services Client – Auto-Enrollment => Enabled

    Check the boxes Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.



    For computer certificate

    First we should ensure the computers have the Read, Enroll and Autoenroll permission on the corresponding computer certificate template. 



    Second, we need to enable the following group policy settings:

    Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies >Certificates Services Client – Auto-Enrollment =>Enabled

    Check the boxes Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.


    Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies >Automatic Certificate Request Settings => right-click Automatic Certificate Request Settings and choose New > Automatic Certificate Request.


    For details about configuring certificate auto enrollment throufh GPO, we can refer to the following article.

    Set Up Automatic Certificate Enrollment (Autoenroll)
    https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 21, 2019 5:58 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 23, 2019 5:29 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
     
    Again thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 26, 2019 8:06 AM
    Moderator
  • Hi,

    I thought I posted my response. None of the above worked. We ended up purchasing new certificate from third-party. The thread can be closed.

    Thanks

    Monday, September 9, 2019 2:35 PM
  • Hi,
    Thank you for your update and sharing.

    As always, if there is any question in future, we warmly welcome you to post in this forum again. 

    Have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 18, 2019 6:24 AM
    Moderator