none
Windows 2008 CA certificate to expire with renew CA certificate already exist RRS feed

  • Question

  • Hi all,

    I just created a new certificate for my tech for a website, and he just email me that my windows 2008 CA certificate will expire in two weeks.

    Question 1:

    What will happen to the website when the CA certificate expires.

    Question 2:

    I see that CA certificate was already renew the same year. I got:

    Certificate #0 started in 11-25-2014 to 11-25-2019

    and Certificate #1.0 started in 11-25-2014 to 11-25-2024

    It looks that certificate i did for my tech is referencing the certificate #0

    Should I create a new certificate again?

    IF not how can i verified that certificate #1.0 is recognize by my deploy certificates now.

    Should i recreate a new certificate for my tech once this is fix.

    Is it possible that certificate #0 was deloy in AD but not certificate #1.0. I have inherited this network from another sys admin

    thx

     



    • Edited by DanthePro Tuesday, November 12, 2019 10:16 PM
    Tuesday, November 12, 2019 10:03 PM

Answers

  • Hi,
    Here are the answers for our questions:


    Q1:Also see that my CRL  and CDP are about to expire also.

    A1: We can re-publish New CRL and Delta CRL only.

    Try the steps:

    Logon the CA server, open Certification Authority->CA Name-> right click Revoked Certificates container->All Tasks->Publish->select New CRL and then Del CRL only.




    Q2: Doing A2 will fix that issue? what are the consequence of them not being renew.
    A2:  If we try method 1 or method 2, we will get the validity of the certificate for our tech for a website we want.

    Method 1: first we can renew root CA certificate and then renew this certificate for our tech for a website. 
    Method 2: first we can renew root CA certificate and then recreate a new certificate for our tech for a website. 



    Q3: when I right click on the Enterprise PKI i see manage AD containers. NTAUTHCERTIFICATES, AIA CONTAINER, CERTIFICATE AUTHORITIES CONTAINER TAB all have the two certifcate #0 and 1 with the option to remove if wanted. What is the purpose of those and can i delete the expire certificate.

    A3: No, currently, we can not removed any of them.

    For example, the following is in my test lab. The status is OK, we can not removed any of them.



    Q4: Right now my issue is when using the A2 option you propose i got an security error, see below second pic. Could i just go and do RENEW CA CERTIFICATE from the CA menu to fix the issue also.

    A4: How do we renew our root CA certificate? We need to logon the CA server with domain Administrator account, open Certification Authority->right click CA Name->  All Tasks->Renew CA certificate.






    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by DanthePro Thursday, November 14, 2019 9:07 PM
    Thursday, November 14, 2019 6:21 AM
    Moderator
  • I just realize that my tech is using a linux server with apache. Since its not on the domain i sent him the root certificate to put in his trusted site and it works right now.

    I have also made an test to a windows server renewing the certificate and i saw that in the renew certificate in the path relates to certificate#1.

    I think the old sys admin renew the CA roots a second time the same day after the first installation. 

    thanks for your help I will do the steps for the  CRL  and CDP. I dont need to renew the root certificate right now.

    BTW i like how you answer my questions. I can see there is a teacher inside of you.

    thank you


    • Marked as answer by DanthePro Thursday, November 14, 2019 9:07 PM
    Thursday, November 14, 2019 9:07 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    Here are the answers for our questions:

    Question1: What will happen to the website when the CA certificate expires.

    Answer1: We can see the validity period of any certificate generated by a Windows CA is the lesser of these three values:

    (1) The remaining lifetime of the root CA server.
    (2) The value specified in the certificate template.
    (3) The value specified in the CA server registry (default is 2 years).
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriodUnits

    So if we do not renew the root CA certificate, this certificate for our tech for a website will expire in two weeks.
    If we have renoewed the root CA certificate, we also need to renew this certificate or recreate a new certificate for our tech for a website.

    Question2: 
    1: Should I create a new certificate again?
    A1: We have two methods:

    Method 1: first we can renew root CA certificate and then renew this certificate for our tech for a website. 
    Method 2: first we can renew root CA certificate and then recreate a new certificate for our tech for a website. 


    2: If not how can i verified that certificate #1.0 is recognize by my deploy certificates now.
    A2: See A1.

    We can see the validity of the current certificate for our tech for a website is about two weeks (valid from and valid to).

    The renewed certificate for our tech for a website will use this new root CA certificate to sign.

    The validity of the renewed certificate for our tech for a website will be changed, it depends on the above three values.




    For example, in my test lab:

    This is root ca certificate.



    Before I renew root CA certificate, the following certificate is using certificate #2 to sign.



    After I renew the above certificate with the same key, the certificate use the latest root CA certificate (certificate #5) to sign.






    3: Should i recreate a new certificate for my tech once this is fix.
    A3: See A1.


    4: Is it possible that certificate #0 was deployed in AD but not certificate #1.0.
    A4:
    No, it should be not possible.

    If we renew root CA certificate, then request new certificates or renew other existing certificates, the new certificates and the renewed certificates will use this new root CA certificate to sign. For more information we can see A2.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 8:31 AM
    Moderator
  • I see on my CA server a Enterprise PKI that comes with ADCS

    I see the CA root certificate referencing to my certificate #1:

    Also see that my CRL  and CDP are about to expire also.

    Doing A2 will fix that issue? what are the consequence of them not being renew.

    when I right click on the Enterprise PKI i see manage AD containers. NTAUTHCERTIFICATES, AIA CONTAINER, CERTIFICATE AUTHORITIES CONTAINER TAB all have the two certifcate #0 and 1 with the option to remove if wanted. What is the purpose of those and can i delete the expire certificate.

    Right now my issue is when using the A2 option you propose i got an security error, see below second pic.

    Could i just go and do RENEW CA CERTIFICATE from the CA menu to fix the issue also.Sorry for all those question i just want to understand how this works

    I also got an error when trying to renew the root certificate:




    • Edited by DanthePro Wednesday, November 13, 2019 8:47 PM
    Wednesday, November 13, 2019 4:54 PM
  • Hi,
    Here are the answers for our questions:


    Q1:Also see that my CRL  and CDP are about to expire also.

    A1: We can re-publish New CRL and Delta CRL only.

    Try the steps:

    Logon the CA server, open Certification Authority->CA Name-> right click Revoked Certificates container->All Tasks->Publish->select New CRL and then Del CRL only.




    Q2: Doing A2 will fix that issue? what are the consequence of them not being renew.
    A2:  If we try method 1 or method 2, we will get the validity of the certificate for our tech for a website we want.

    Method 1: first we can renew root CA certificate and then renew this certificate for our tech for a website. 
    Method 2: first we can renew root CA certificate and then recreate a new certificate for our tech for a website. 



    Q3: when I right click on the Enterprise PKI i see manage AD containers. NTAUTHCERTIFICATES, AIA CONTAINER, CERTIFICATE AUTHORITIES CONTAINER TAB all have the two certifcate #0 and 1 with the option to remove if wanted. What is the purpose of those and can i delete the expire certificate.

    A3: No, currently, we can not removed any of them.

    For example, the following is in my test lab. The status is OK, we can not removed any of them.



    Q4: Right now my issue is when using the A2 option you propose i got an security error, see below second pic. Could i just go and do RENEW CA CERTIFICATE from the CA menu to fix the issue also.

    A4: How do we renew our root CA certificate? We need to logon the CA server with domain Administrator account, open Certification Authority->right click CA Name->  All Tasks->Renew CA certificate.






    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by DanthePro Thursday, November 14, 2019 9:07 PM
    Thursday, November 14, 2019 6:21 AM
    Moderator
  • I just realize that my tech is using a linux server with apache. Since its not on the domain i sent him the root certificate to put in his trusted site and it works right now.

    I have also made an test to a windows server renewing the certificate and i saw that in the renew certificate in the path relates to certificate#1.

    I think the old sys admin renew the CA roots a second time the same day after the first installation. 

    thanks for your help I will do the steps for the  CRL  and CDP. I dont need to renew the root certificate right now.

    BTW i like how you answer my questions. I can see there is a teacher inside of you.

    thank you


    • Marked as answer by DanthePro Thursday, November 14, 2019 9:07 PM
    Thursday, November 14, 2019 9:07 PM
  • Hi,
    Thank you for your update and marking my reply as answer. I’m very glad that the problem has been solved. 

    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!  



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 1:29 AM
    Moderator