question

AdamTyler-3751 avatar image
0 Votes"
AdamTyler-3751 asked DaisyZhou-MSFT commented

No certificate after "Renew CA Certificate" operation.

Hello, we have a Single Windows 2012 R2 server which is a dual role domain controller and Root CA for our internal Windows domain. Our current root certificate is going to expire soon and I am trying to renew it. Our environment is very basic, we have a single CA and only use certificates for LDAPs when communicating with Domain Controllers. We currently are not issuing certificates to workstations.

After opening the certsrv console and choosing "Renew CA Certificate.." I am asked to stop AD Certificate services, I select yes then get a prompt asking me if I want to rekey the cert, I choose "no" here. Our keys are not compromised, I am just trying to extend it.

The operation appears to complete successfully, but upon right click > properties of the root CA, there is no change to the root certificate list. A new cert is never issued and the existing cert (Certificate #2) is still listed with the old expiration date.

Additionally we have an old expired certificate and I can't figure out how to delete. Any ideas?
104779-image.png


windows-server-security
image.png (32.1 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AdamTyler-3751,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @AdamTyler-3751,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT commented

Hello @AdamTyler-3751,

Please check if you PKI environment is healthy.

Open PKIview.msc and check if all the status about all entries is OK.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It's healthy... I cloned this setup into an isolated dev environment and the only way I can get a new cert is by selecting the option to generate a new key. I have tried deleting everything I can find across certificate stores within different user contexts and PKIview for the older certs, they always remain, cannot remove them no matter what I try.

Regards,
Adam Tyler

0 Votes 0 ·

Hello @AdamTyler-3751,

What error message did you received if you can not delete Expired certificate?

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered AdamTyler-3751 commented

Hello @AdamTyler-3751,

Thank you for posting here.

Based on the description, I understand you have one-tier Enterprise PKI, and the AD CS is installed on one DC. Now you want to renew the root CA certificate.

Did you mean you already have the three root CA certificates before "Renew CA Certificate" operation above, right?

Certificate #0 (Expired)
Certificate #1
Certificate #2

If so, was there any error message during "Renew CA Certificate" operation above?

If no, would you please show us the “Valid from” and "Valid to" of both Certificate #1 and Certificate #2?

For example:

105201-pki2.png


Q: Additionally we have an old expired certificate and I can't figure out how to delete. Any ideas?
A: For delete the expired root CA certificate, please open PKIview.msc on Enterprise CA server (Domain Controller),
and right click Enterprise PKI and select “Manage AD Containers”,

and check every tab in “Manage AD Containers” to find the expired Certificate #0, and remove it if you find out the certificate.

105202-pki3.png


Tip: The serial number of the certificate is the only sign of the certificate. It is better to compare the serial number of the certificate before deleting the certificate. Do not delete the certificate by mistake.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



pki2.png (40.1 KiB)
pki3.png (121.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello, yes so I have “renewed” this CA’s root cert once before years ago. That is where “Certificate #1” and “Certificate #2” came from.

If memory serves, I created each using the rekey option.
105471-image.png

Certificate #1 used an older cipher and some of the devices we use LDAPs authentication with were complaining. So Certificate #2 was created. Here is a side by side comparison of each.
105452-image.png


105472-image.png

When I choose “Renew CA Certificate” now and do not select rekey, there is no output or error of any kind. It just completes and the certificate services start. No changes at all.

I have already been over pkiview and the certificate snap in using MMC, deleted all instances of the old cert. It is still displayed.

Regards,
Adam Tyler


0 Votes 0 ·
image.png (32.6 KiB)
image.png (153.5 KiB)
image.png (82.9 KiB)
HakanFagnell avatar image
0 Votes"
HakanFagnell answered AdamTyler-3751 commented

Did you check here? : change-certificates-expiration-date


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I've don't quite a bit of research, but I don't think I have checked these registry values. Looks like they are currently set to 2 years. Not sure that changes anything. The expired cert that is present in the UI has been expired since 2016. The current root cert will expire in about 6 months. How does registry change help again? If going through the renew operation actually worked, maybe it would extend the validity period, but it doesn't so.........

Regards,
Adam Tyler

0 Votes 0 ·