question

fhqwhgads-5872 avatar image
0 Votes"
fhqwhgads-5872 asked fhqwhgads-5872 commented

What to do when your root certificate authority has already expired?

I've made it a habit to back up my two enterprise root CAs every 6 months, as well as renew their certificates (they have--or had--a 1-year exipry, which I have now changed). For some mysterious reason--maybe I saw something shiny--i did manage to back up one of these CAs but did NOT renew the certificate.

So, what do I do? I cannot renew the CA's cert because the CA's cert is expired.

Much thanks!

windows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered fhqwhgads-5872 commented

What to do when your root certificate authority has already expired?

I decommission this CA, because it is no longer in use. When CA certificate expires, all certificates down the chain are expired as well. Since you unlikely have other issues than expired root CA, then your CA has no use. Just decommission it: https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx

BTW, 1yr root CA? Really?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yeah, well...I was reading some "best practices" at some point since the CA was originally using SHA-1, so I kept the expiry time short....then forgot to lengthen it when I adopted SHA-384.

I'll see about decommissioning it & re-installing it. Turning the clock back didn't work because the CRLs were no longer valid. And the CA is used for server authentication and our VPN solution; but nobody's mentioned any issues yet.

As a bonus side note: I did dig back into the event logs for January when I thought I renewed the CA cert, and it turned out I did attempt it, but for some reason the older expired CA certs managed to cause an issue, so the renewal didn't go through. Damnedest thing. Should've verified back then that it had been successful. Lesson learned.

0 Votes 0 ·
Evgenij-Smirnov avatar image
0 Votes"
Evgenij-Smirnov answered

Hi,

one solution could be setting the CA's clock backwards and renewing the cert. Or you just create a new CA cert asnd republish the CA.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.