Share via

AD CS Expired Root CA

bizcntradmin 191 Reputation points
2020-08-02T06:50:59.43+00:00

We have a 2 tier PKI environment. Every time i add a server in the domain 2 expired Root certificate appears in the Intermediate CA store of new server.

one is certificate template cross certification authority template and other is Root Certification template which are both expired

We previously have a cross certification to other PKI but its already decommission.

I would like to know how to stop new computers on getting that certificate and is there a way to cleanup the prod server who has that expired certificate?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,745 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,231 Reputation points
    2020-08-03T03:37:51.657+00:00

    Hello,

    Thank you so much for posting here.

    According to our description, every time when we add a server to the domain, there will be 2 expired certificates appearing in the Intermediate CA store. For example:

    15024-1.png

    As mentioned, the expired certificates are Cross CA and Root CA.

    15105-2.png

    Firstly, we need to figure out how the computers get the certificates. If automatically, we could have a check by running “gpresult /h” to get a detailed group policy result report, then check if there is any GPO for the computers to get the certificates.

    Besides, we could have a check of the expired certificate and make sure that they are not Root CA certificate and Intermediate CA certificate. What I mean here is that the expired certificates could be issued by Root CA and Intermediate CA.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    0 comments