Hi Vadims,

Thanks you for the detailed description on cert renewal, very useful.

I have a circumstance where I'll be renewing a root CA cert, but have no reason to renew the key pair as the PKI is planned for a major replacement in near future.  In the first paragraph you mentioned that a new CA cert can simply be published to the various AIA locations to replace the old, but then later you mention that the root CA will generate and publish multiple certs (e.g. rootcart.crt and rootcert(1).crt.  

Could I just clarify that in these circumstances with no new key pair, I can take the new cert file (e.g. rootcert(1).crt), rename it to remove the parathesis and index number, and then publish to the AIA locations replacing the old one?  So no need to retain the original cert in the AIA locations, no need to change anything in the extensions tab on the root CA properties etc?

Mike

Hi Vadims, If you could please give real test cert example how would cross certs would work Unable to understand how cross cert works

Hi Mike,

We were also under same confusion whether to rename the file or not, however, we have done this excercise recently, to observe that the 'cACertificate' attribute (which is a multi-valued attribute) of the 'certificationAuthority' object under AIA and/or CertificationAuthorities containers, will get appended with the new certificate rather than overwriting the existing certificate. So resulting in both old and renewed certificates available for clients.

Happy renewing.. 

 

 

Thanks Mohan, so it sounds like you published both the old and new certificates to AD and to the AIA locations?

Hi Vadims,

thanks for your article, very useful for us as well!

Just to correct a small typo: at the end of the "Renewal with new key pair" section there is a typo in the text which says "Run the following command on CA server to renew CA certificate and reuse existing key pair:", should state "with new key pair".

+1 here for always renewing Root CA with new key pair. We ran into an issue where Linux/NetApp NAS clients failed to validate server certificate (LDAP server in our case) issued by by Root CA with renewed certificate using an existing key pair, where both the "old/previous" Root CA and "new/renewed" Root CA certificate were present in the root CA trust store on the Linux/NetApp side and the "old" Root CA expired - the Linux/NetApp validated a valid server certificate (issued from the new/renewed Root CA) against the expired "old" Root CA, thus failing the validation due to "expired root CA cert" reason and effectively disrupting connection to LDAP server. Fixed by removing the "old" Root CA from the Linux/NetApp clients.

Fixed typo in text.

Hi Vadims,

thx for you article here. :-) One qeustion:

I renewed our 2 IssuingCAs last december and deploy them through AD to the clients and servers. NT Auth and AIA Cert contains now both certs. Now, at 08.07.20, the issuing CAs are going to expired. My question is, should i remove the old CA cert with PKIVIEW BEFORE this date or should i let this entry like it is and not deleting it? I have read in the web, if you use 802.1x Auth for LAN an WLAN, it could be happend, that the Windows Radius choose the wrong chain certificate and then the auth of the clients will fail. For Radius Auth, i used a new NAP Cert with is valid to 2022. So the new chain is in place and working. We have MAC and Windows 10 Clients here.

So i think its required to delete this old NT AUTH Cert and AIA Certs. But im not sure to do this. Can you tell me, what i should do? I would not break th INF, so i do testing in a lab. Cloneing the DCs on ESXi and delete those certificates with PKIView. No issue happend, auth works, gpupdate and ssl validation of websites etc... I still have recreated the OCSP check on production INF with the new Issuing CA cert...this works fine. But testing and production are 2 pairs of shoes...and we all know Mr. Murphy... :-)

Im scared about the 08.07.20, when the CA is going to expired... What are you doing in a case like this? 

BR

Rene´

> should i remove the old CA cert with PKIVIEW BEFORE this date or should i let this entry like it is and not deleting it?

It depends, but my recommendation is to leave them as is.

> I have read in the web, if you use 802.1x Auth for LAN an WLAN, it could be happend, that the Windows Radius choose the wrong chain certificate and then the auth of the clients will fail.

NEVER reuse keys during CA renewal to avoid this. Check Recommendations section in this blog post.

Hi, thx for you answer. OK, leave them as it is sounds good, but what i have to do on 08.07 when its expired? Delete them or not? In my lab, everything works. But 802.1x its not possible to test in my local LAN without any GW and routing. I inspected the EAPOL frames with wireshark. This showed me, that the new CA Certs will be used to validate. The server hello and the client hello showed the right issuing ca cert to me... so i think it have to work.I rollout all new certs to the clients and servers with gpo... on our MACs during Catalina upgrade, we deleted all old certs and recreated the computer cert. This works fine, 802.1x and cert based vpn auth. have no issues. NPS Server cert is also in place with a new cert... so it should be working... everthing... on 08.07. i will see it :-) BR Rene´

Hi Vadims,

Thanks, your blog very useful.

 I'm trying to renew CA certificate and reuse existing key pair. After runnig command certutil -renewCert ReuseKeys on CA server I get the following error:
CertUtil: -renewCert command FAILED: 0x80090016 (-2146893802)
CertUtil: Keyset does not exist

When I try to create backup with command certutil -v -backup c:\bkpca I get error also:
CertUtil: -backup command FAILED: 0x80090008 (-2146893816)
CertUtil: Invalid algorithm specified.

CA server was migrated from win 2003 to 2008R2 KSP and SHA2. There is one current and two expired CA certificates in CA General tab.
Expired CA certificates has Siganture algorithm sha1RSA. The oldest one has CSP provider and shows Encryption test FAILED when I run certutil -store my.

Is it possible that certutil -renewCert ReuseKeys trying to check old CA certificates as well and fails ? How can I point CertUtil to renew only current CA certificate ?

 

First of all, reuse of existing keys is NOT a recommended practice. Even if you use HSM.

I'm not sure about exact behavior of '-renewCert', but I would expect it to take the most recent CA certificate and its key to be used as template. What I suspect is that your transition from SHA1 CSP to SHA2 KSP wasn't that successful and there are pending issues. I would suggest to address this issue in PKI forum on TechNet Q&A.

Hi Vadims - Thanks for the post.

I have a related question for which i have not been able to find an answer.

There is a issuing CA which was renewed with same keys long time back and in the AIA and on client machines in the domain both CA certs are there. They both have longer validity but the version 1 (sha256) is whats being used to issue certs for at least 6 years now.

I want to remove the older version (sha1) from AIA so its removed from all client machines as this cert has cdp and aia pointing to a old server that is to be decommissioned. My question is whether its ok to remove the version 0 of the issuing CA cert from AIA and other containers. Would it cause any issue for the version 1 CA cert?

Your advice on this would be great. Thanks.

I have a question, I was looking and testing the renewal of my root certificate. I was going thorught the wizard and accidently renew it with a new key pair. I was not ready to renew. Is there a way to remove the renewal? The current certificate does not expires yet and I needed to talk to my boss to see what direction he wanted to go. What would happen if I renew again and use the same key pair? I'm nerous now, because my intentions was not to renew yet, all I suppost to do was to find out how we wanted to go about it when it expires. Hopefully I can remove the renewal.

> Is there a way to remove the renewal?

no. You have to restore CA from backup.

> What would happen if I renew again and use the same key pair?

it makes little sense, since next renewal will reuse NEW key pair you just generated.

I have a question regarding IntermediateCA certificate renewal

This is 3 tier PKI hierarchy -- Root(offline) -> Intermediate (offline) CA -> Issuing (online) CAs

Once certificate issued from RootCA (using new Key Pair) and installed/issued on Intermediate CA --

 

New CeRT/CrOSS CeRT

Will this create cross-sign certificates(0-1, 1-0) for SubCA,  in addition to the new cert on IntermediateCA under CertSrv >> CertEnroll folder ?

 - if yes then do we need to publish ""certutil -f -dspublish" the new Cert and cross-sign certificate on Domain Controllers considering the Intermediate CA is offline. 

or only copying the new Cert file to AIA/CDP will work --- how to deal with this cross-sign certificates .. are they also need to be copied to AIA/CDP publish locations

 

New CRL

For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.

Coping the new CRL to AIA/CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work

> Will this create cross-sign certificates(0-1, 1-0) for SubCA

no, it won't. Cross-certificates are created only during Root CA renewal with new key pair. For intermediate CA certificates cross-certificates are not generated. You only need to copy new CA certificate to AIA location.

> For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.

CA will automatically publish new CRL when needed and copy it to CDP locations.

> Coping the new CRL to AIA/CDP will replace the old CRL

It shouldn't. A new separate CRL is generated instead. Eventually, you get two separate CRLs for each CA signing key.

> as the existing certificate is still referring to the old CRL file ... how this going to work

yes, that's how things work. Old certificates will refer to CRL signed using old CA key and new certificates will refer to new CRL signed using new CA key.

Thanks Vadim for your prompt response and sharing useful info

So the summary for Intermediatie (offline)

• Renew Certificate from RootCA - Once installed it on Intermediate, it will create 2 new files (IntCA(1).CRT & IntCA(1).CRL) under CertSrv >> CertEnroll folder
• IntCA(1).CRT file need to be copied to AIA location
• IntCA(1).CRL file need to be copied to CDP location
  • On CDP location, there will be now 2 CRL files (IntCA.CRL & IntCA1.CRL) - Just want to understand this .. how CA extentsion select or refer to the correct file as there are now 2 CRLs in CDP Container  <CaName><CRLNameSuffix>.CRL --  what if I rename the existing"IntCA.CRL_old.crl"  - will this work as new CRL is in the containor now ..? 

For IssuingCAs,  as they are online so no manual copying is requried for their CRLs to CDP location - Since they have been renewed twice already. 

• I found there are now 3 (IssCA, IssCA1, IssCA2) CRLs files and all of them update/publish every week ...I don't understand  why other  2 old CRLs keep updating .. is it because they are still in CERTENrol folder and CDP Shared folder ..?

 

I see you already have a thread on Microsoft Q&A: https://docs.microsoft.com/answers/questions/291995/renewing-intermediate-ca-certificate-pki-1.html, so let's continue there.

Thanks for your responce. I renewed the certificate with a new key.

When I run, certutil -dspublish XXXCA(2).crl

I get:

PS C:\Windows\system32\certsrv\certenroll> certutil -dspublish vcuCA(2).crl
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Could not load Certificate or CRL from file (The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_
NOT_FOUND))
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

On pkiview:

CDP Location #1 Unable to Download the the ldap location url string.

DeltaCRL Locaiton#1 Unable To Download and the location url string.

From what I know, the cert server is 2016, but at one point the cert server was 2018 and got migrated over. 

I have search and search and do not find the correct instructions on how to proceed. I was hoping someone here has any idea or has experience the same issue.

When I right click on the new cert and look at it's properties, the URL=http:// points to the old server, under the CRL Dirstribution Points.

please help, the existing cert expires end of this month.

 

Hi Vadim,

we renewed a subca with new keypair, with its keys on HSM. there is a entry on previous cert hash the shows the thumbprint of previous cert 

the previous cert expired some 10 months ago, there are no clients chained up to it  Now, we thought, we could get rid of the previous cert keypair from HSM, as its not involved in any crypto 

However, after deleting the old cert key, the CA wouldnt start, citibg a NTE bad keyset error pointing to old cert private key 

What is the remedy here, to start the CA and tell it to not bother looking for old key tht has expired  ? 

thanks.

Hi

 

we renewed with same key, but the sub ca created a second public certificate, with a begin date of today.

but your article states there will be the same certificate with the same start date from the past of the initial sub ca cert. 

the new end date was update correctly, but the start dates do not match.

the subject key identifier are the same on both certs!

We used Windows Server 2016 paired with HSMs

> but your article states there will be the same certificate with the same start date from the past of the initial sub ca cert.

This is not correct. This article applies only to root CAs. This behavior doesn't apply to subordinate CAs. Once you renew your subordinate CA, its start date will match signing time.

I have a question please vadims, thank you

If a client is not joined to Active Directory (standalone Windows or Linux server for example), I assume they cannot reach the LDAP location to download the Cross Certificates?

If so would adding the following extension when renewing the Root CA cert. Then publishing the cross certificates at the locationd below, solve the issue for non-LDAP client (assuming they support/read this extension.

[CrossCertificateDistributionPointsExtension]
SyncDeltaTime = 800
URL = http://MyIIS.Domain.local//ccdp/CAName(0-1).crt
URL = http://MyIIS.Domain.local/ccdp/CAName(1-0).crt

Thank you

I'd like use the below link to configure OCSP after renewing my CA with a new key pair, but the link doesn't work :( do you have some of those descriptions?

if you do need to renew your CA Certificate with a new key pair you do need to setup a new Revocation Configuration to support that new key. Instructions for configuring a Revocation Configuration are available here: http://blogs.technet.com/b/askds/archive/2009/06/29/implementing-an-ocsp-responder-part-iii-configuring-ocsp-for-use-with-enterprise-cas.aspx.

 

> I'd like use the below link to configure OCSP after renewing my CA with a new key pair, but the link doesn't work

Microsoft retired original TechNet/MSDN blogs. However you can use web archive to get archived versions of these blogs.