none
Enterprise SubCA in Cluster not able to update the renewed certificate on Node2 SubCA in cluster. RRS feed

  • Question

  • Hi All

    I Have recently implemented a 2 Tier PKI for an Organization which there is One Offline ROOT CA . And 2 Issuing CA in 2 Separate clusters.

    Initially some how the SubCA certificate validity was not what i wanted so i renewed the both Sub CA certs from Root CA with the required validity.

    Now when i installed the New Sub CA cert on Node 1 in cluster 1 everything went fine. The Node 1 Cluster 1 Sub CA showed the renewed certificate .

    Same was successful on Cluster 2 Node 1 Sub CA as well it got updated with the renewed certificate . Now the problem is that the renewed certificate is not reflected on second node  Sub CA of both the Clusters .

    I have tried the following:

    1)Verified registry values.

    2)Performed backup from node 1 SubCA and restored in on Node2 Sub CA.

    3)Installed Renewed Sub CA cert in PFX on Node 2 subCA in cluster and did repairstore  but no help.

    4)Before installing the renewed Sub CA cert i have updated and installed the new Root CA CRL on all the 4 Sub CA  as well.

    Please help how to fix this issue.

    Do i need no remove the Node 2 SubCA on both the clusters and reinstall again.?

    Please provide the solution its quite urgent as i setup is stuck due to this and without fixing this i cant move forward.

    Thanks

    Saturday, September 28, 2019 4:53 AM

All replies

  • The Sub CA setup in on windows server 2019 on Azure cloud.
    Saturday, September 28, 2019 4:57 AM
  • Did you export and import the certificate as a PFX into node 2?

    Only the registry information is replicated, you still need to get the private key and certificate over to the second node

    Brian

    Saturday, September 28, 2019 6:17 PM
  • Hi Brian,

    Yed i did export the PFX into Node 2 from Node 1 and the installed it.

    Still the node 2 SubCA is showing  the certficate with the old validity.


    Monday, September 30, 2019 2:20 AM
  • Hello,
    Thank you for posting in ourTechNet forum.

    According to our description, we can refer to the article to troubleshoot.

    CA Validity Period Extension and CA Certificate Renewal Process


    And then we can check the CA health in PKIview.msc on Sub CA server.


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 30, 2019 2:26 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 2, 2019 7:52 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 4, 2019 4:13 AM
    Moderator