none
Problem trying to renew subordinate CA certificate RRS feed

  • Question

  • Hi,

    http://support.risualblogs.com/blog/2014/05/13/renew-issuingsubordinate-ca-certificate/

    I am following these steps to renew my subordinate CA with the same key pairs.

    Steps to Renew if Root CA is offline

    • Log onto your Issuing CA and open the Certificate Authority MMC
    • Right click on your Issuing CA > All Tasks > Renew CA Certificate
    • Press Yes to Stop AD Certificate Services
    • Press No to Generate a new Public/Private Pair

    I am experiencing a problem, whereby the "CA Certificate Request" dialogue box does not appear.  When I click No to generate a new public/private pair, Certificate Services simply start again, the "CA Certificate Request" dialogue box does not appear at all.

    The request file location is c:\certs but no request file is generated.

    I found another post that has an apparent identical issue, however the suggested fix is not available.

    https://social.technet.microsoft.com/Forums/en-US/7d83f2b3-23fb-412e-9ea2-14d017c00535/subca-certificate-cannot-be-renewed?forum=winserversecurity

    The account I am using has Enterprise/Domain and Schema admin permissions.

    Any suggestions welcome.

    Brian


    Tuesday, September 27, 2016 1:58 PM

Answers

  • I ran into the same issue.  SubCA did not open a dialog box to select RootCA server name.

    The issue was resolved by creating a network share called "CertConfig" on SubCA as defined in HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<SubCA Name>\ReqeustFileName.

    • Marked as answer by Enigma IE Wednesday, May 3, 2017 3:25 PM
    Monday, May 1, 2017 6:51 PM

All replies

  • Hi Brian,

    Without asking the reason you want/need to renew your Issuing CA certificate, the following article should help.

    https://technet.microsoft.com/en-us/library/cc730605.aspx

    Note that the CA certificate request defaults to the root of C:. You should find it there.

    You’d then copy this to a USB to sneakernet to your offline Root CA to complete the request and return with a new certificate for your Issuing CA. Remember that the Root CA never comes online or otherwise attaches to the network at any time.

    Considerations for renewal of certificates previously issued by the Issuing CA, for example, need to be reviewed.

    Hth,

    -bill

    Tuesday, September 27, 2016 2:33 PM
  • Hi Bill,

    Thank you for the information. The reason why I want to renew my issuing CA certificate is because the issuing server itself has a validity period for 1 more year, however I need/want to issue certificates from the subordinate issuing CA for 2 years.

    From the link you sent, I did try that process yesterday, however getting the attached error. The account I am using is a member of Enterprise Admins. Checking the permissions on the Subordinate Certification Authority, Enterprise Admins have Read/Write/Enroll ?

    Tuesday, September 27, 2016 2:52 PM
  • Update on this. I granted the two issuing server computer accounts "Enroll" permissions on the Subordinate Certification Authority template.  The certificate is now AVAILABLE and I do have the option to Enroll....
    • Proposed as answer by Amy Wang_Moderator Wednesday, September 28, 2016 2:09 AM
    • Unproposed as answer by Enigma IE Wednesday, September 28, 2016 1:47 PM
    Tuesday, September 27, 2016 3:56 PM
  • Hi,

    Please feel free to let us know if further assistance is required.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 28, 2016 2:09 AM
    Moderator
  • I am reluctant to mark as an answer at this point or even a workaround. I believe the steps from the below article are correct and but there is another issue.

    http://support.risualblogs.com/blog/2014/05/13/renew-issuingsubordinate-ca-certificate/

    Wednesday, September 28, 2016 1:49 PM
  • Hi,

    Here is an official article regarding renew CA for you:

    Renewing Certification Authorities

    https://technet.microsoft.com/en-us/library/cc962077.aspx?f=255&MSPPError=-2147217396

    Would you please clarify the other issue you are concerned about?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 29, 2016 8:33 AM
    Moderator
  • Hi Amy,

    My original issue persists. As per the link you just sent me, step 4 states the following:

    Type the domain name of the server for the parent CA in the Computer Name box, or click Browse to select the server.
    The Parent CA box displays the name of the CA that is running on the server computer that you have selected.

    I do NOT get this dialogue box to either enter details or Press CANCEL.

    In my scenario, it is a 2 tier PKI infrastructure with an offline root. I am expecting to be able to click cancel on the dialogue box and then be able to save the request file to the file system, so I can manually copy it to the offline root.

    Thursday, September 29, 2016 8:39 AM
  • Hi,

    I assume that Complete this CA Installation dialog box didn't appear after certificate is enrolled, is that correct?

    In addition, what's the OS of your sub CA?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 30, 2016 8:32 AM
    Moderator
  • Hi Brian,

    Would you please provide us with an update on the status of your issue?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 5:02 AM
    Moderator
  • I have two sub-CA's, both W2008R2.

    When I tried the workaround to enroll, my certificate was automatically renewed by the other issuing CA, I was not prompted or given the option to save the *.req file so I could then copy it to the offline Root CA for signing.

    I've not had a chance to investigate further, I will follow up next week.


    • Edited by Enigma IE Tuesday, October 11, 2016 12:11 PM
    Tuesday, October 11, 2016 12:11 PM
  • If you don't get this dialog, then you are performing a renewal on a Root CA. There is no way this would occur on a subordinate CA. A root Ca first asks if its ok to stop the service, then asks if you want to create a new key (yes/no) and then that is it. A subordinate does the same, but then asks how you want to submit the request. If you aren't getting that dialog, then the CA isn't a subordinate or someone has changed the registry and the CA is misconfigured.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Tuesday, October 11, 2016 9:16 PM
  • Hi Mark, 

    It's a 2-tier PKI infrastructure, with an offline root and 2 subordinate CA's. I am simply not getting the the prompt to ask how how I want to submit my request. This isn't the first rewewal of this sub-CA, so as you say, something has now broken or misconfigured since.

    My colleague, who original setup the PKI infrastructure, is scheduled to have a look next week.

    Thanks,

    Brian

    Wednesday, October 12, 2016 8:52 AM
  • Hi Brian,

    In that case, kindly update this thread with any findings next week.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 13, 2016 2:45 AM
    Moderator
  • I'm experiencing the same issue.  Did you ever find a resolution?
    Wednesday, February 1, 2017 5:09 PM
  • What is the output of this command on your CA?

    certutil -getreg ca\catype


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Wednesday, February 1, 2017 6:57 PM
  • We did not find a resolution. There was a business requirement to use SHA-256, so a new PKI infrastructure was setup in parallel (OS upgrades to 2012r2) and we will be moving services over to the new environment. 
    Thursday, February 2, 2017 9:58 AM
  • I ran into the same issue.  SubCA did not open a dialog box to select RootCA server name.

    The issue was resolved by creating a network share called "CertConfig" on SubCA as defined in HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<SubCA Name>\ReqeustFileName.

    • Marked as answer by Enigma IE Wednesday, May 3, 2017 3:25 PM
    Monday, May 1, 2017 6:51 PM
  • I am having the same issue 

    The only thing I see in Registry

    HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<SubCA Name>\RequestFileName

    is

    C:\%1_%3%4.req

    running Windows 2008 R2 DC

    Where do you create the CERTConfig Share

    Wednesday, September 11, 2019 4:00 PM