none
Subordinate CA certificate renewal RRS feed

  • Question

  • Greetings,

    I'm trying to renew certificate for my Enterprise Issuing CA (I have offline standalone root CA). I create new certificate request from issuing CA, import it to root, issue new certificate and then export it to .cer file. After that I'm importing it to my issuing CA. Everything works perfect but one thing: new issuing CA certificate's private key is not exportable any more (initially, when I've installed subordinate CA there was a checkbox on the installation process to make key exportable). I do really need to renew subordinate CA certificate leaving option to export private key. Do you have any ideas?

    Tuesday, August 6, 2019 2:31 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    According to "new issuing CA certificate's private key is not exportable any more", how do we see new issuing CA certificate's private key is not exportable? Through back up issuing CA wizard or certificate export wizard on issuing CA properties?

    Through back up issuing CA:






    Through certificate export wizard on issuing CA properties:









    I find we can try to export issuing CA certificate with its private key as below:

    1. Logon issuing CA with domain Administrator account.
    2. Search certlm.msc and click Enter.
    3. Find the new issuing CA certificate in Certificates container under Personal container.


     

    4. Right click this certificate->All Tasks->Export->Next.

     


    5. Select Yes, export the private key.






    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 7, 2019 5:47 AM
    Moderator
  • Greetings,

    After reissuing subordinate's CA certificate private key cannot be exported


    Friday, August 9, 2019 7:34 AM
  • Hi,
    Run the command certutil -store my to find whether CA keys are Exportable or Non-Exportable.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, August 9, 2019 11:02 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 12, 2019 8:14 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 14, 2019 9:28 AM
    Moderator
  • Hi,

    It seems I've incorrectly followed certificate renewal procedure, since I've deployed PKI in test environment and cert renewal worked fine for me. I believe my issue was creating several certificate renewal request before actually replacing the certificate.

    Thursday, August 15, 2019 1:03 PM
  • Hi,
    THank you for you update. I am so glad that we find the casue about the problem.

    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you! 

    Have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 16, 2019 7:55 AM
    Moderator