locked
Auto renew an Enterprise CA root certificate RRS feed

  • Question

  • Is it possible to configure auto-renewal of an Enterprise root CA certificate, so the root CA certificate itself auto renews? If there's no built-in mechanism for auto-renewal, can it be done with certutil.exe or PowerShell so it can be scripted and run as a scheduled task?

    Thanks.

    Monday, September 30, 2013 1:51 PM

Answers

  • Why is it a bad idea? What are the negative implications? I just dealt with a major business outage caused by an expired root CA certificate and I would like to avoid that again if possible.

    Because it all comes down to trust. If you were to automatically renew a CA certificate the potential for abuse in doing so is simply too great and therefore there is zero trust.

    IMO, unless you're dealing with a "mom and pop" outfit, even using an Enterprise root is a bad idea. Anything larger than a "mom and pop" outfit should be using a standalone, offline root CA, not an Enterprise CA.

    The company you're dealing with has a process problem, not a technology problem.

    • Proposed as answer by Yan Li_ Tuesday, October 1, 2013 5:58 AM
    • Marked as answer by Yan Li_ Monday, October 7, 2013 1:57 AM
    Monday, September 30, 2013 3:14 PM

All replies

  • No, no and no. It wasn't supported, is not supported and will not be supported. CA certificate renewal MUST BE *manual* process. It is very bad idea to fully automate this process.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Monday, September 30, 2013 2:56 PM
  • Why is it a bad idea? What are the negative implications? I just dealt with a major business outage caused by an expired root CA certificate and I would like to avoid that again if possible.
    Monday, September 30, 2013 3:03 PM
  • Why is it a bad idea? What are the negative implications? I just dealt with a major business outage caused by an expired root CA certificate and I would like to avoid that again if possible.

    Because it all comes down to trust. If you were to automatically renew a CA certificate the potential for abuse in doing so is simply too great and therefore there is zero trust.

    IMO, unless you're dealing with a "mom and pop" outfit, even using an Enterprise root is a bad idea. Anything larger than a "mom and pop" outfit should be using a standalone, offline root CA, not an Enterprise CA.

    The company you're dealing with has a process problem, not a technology problem.

    • Proposed as answer by Yan Li_ Tuesday, October 1, 2013 5:58 AM
    • Marked as answer by Yan Li_ Monday, October 7, 2013 1:57 AM
    Monday, September 30, 2013 3:14 PM
  • Hi,

    Any update? Please let us know if you would like further assistance.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    Thursday, October 3, 2013 5:44 AM
  • Hi,

    i have the same question. And I need it just for a testlab which is often forgotten by people that this is a scenario too. I want to test stuff like certificate renewal etc. Therefore, I need a root certificate which runs out every day more or less.

    Offtopic:  When will Clients renew the root certificate if it expires?

    Regards DrWho

    Monday, September 22, 2014 11:38 AM
  • Hi,

    i have the same question. And I need it just for a testlab which is often forgotten by people that this is a scenario too. I want to test stuff like certificate renewal etc. Therefore, I need a root certificate which runs out every day more or less.

    Offtopic:  When will Clients renew the root certificate if it expires?

    Regards DrWho

    As has already been stated in this thread it is not possible to automatically renew a root CA certificate. Doesn't really matter if it is a production or lab environment, it can't be done.

    Clients don't renew root certificates.

    Monday, September 22, 2014 12:17 PM