This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 49%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
there have 2 CA certificates in the RootCA store :
Certificate #0 (expired)
Certificate #1
My certificate #1 almost to expired 11/11/2020 and When I try to renew the expiring cert, the following error show:
A certificate in the chain for CA certificate 0 for mtahk-XXX-CA has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).
Seems the Certificate #0 doesn't allow me to renew the RootCA cert, Can I remove it , what should I do now ? please help,
thanks !
Calvin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello Calvin,
Thank you so much for your kindly reply.
To use the command certutil -renewCert to renew CA certificate, it will generate a new key pair. If new key pair is generated many things in the CA cert are changed. For example new public key will produce different Subject Key Identifier (the hash of public key).
In my test, Certificate #1 was renewed via the command, which generate a new key pair. Certificate #2 was renewed without choosing to generate a new key pair. So the Certificate #1 has different Subject Key Identifier from Certificate #0. While Certificate #2 has the same Subject Key Identifier as Certificate #1.
For example:
As for Renewal with existing key pair or Renewal with new key pair, we could refer to:
Root CA certificate renewal
https://www.sysadmins.lv/blog-en/root-ca-certificate-renewal.aspx
As per my research, there shouldn't be anything to worry about when the old one expires, as the new cert is valid and distributed. Anything new will come from that one and all the certs signed by the old one will be expiring at the same point or before anyway.
We should not remove existing (even expired) CA certificates. Even there are multiple valid CA certs only the most recent CA certificate is used for certificate signing.
As for our issue, it seems to be a little special and maybe so urgent. We really hope the issue could be resolved as soon as possible. Looking forward to the good news.
Besides, have we checked PKI view to make sure everything is OK?
Anyway, I sincerely hope our issue could be resolved soon and everything works fine later.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello,
Thank you so much for posting here.
According to the below article, we cannot renew a certificate that has already expired.
"You cannot renew a certificate that has already expired. If you try to renew a certificate that has expired, the certification authority (CA) will reject the request, and you will see an error message similar to "Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." This message will also be displayed in the Failed Requests node of the issuing CA. If your certificate has already expired, you must request a new certificate instead of renewing the existing certificate."
As for our issue, when we renew CA certificate, we choose to renew it with existing key pair, right?
we try to remove expired CA certificate from Active Directory to check whether it could solve the problem.
On the CA server (or where CA management tools are installed) run PKIView.msc console. Right-click on Enterprise PKI node, and select Manage AD Containers. Switch to Certification Authorities tab and remove expired CA certificate. Then, switch to AIA tab and remove expired CA certificate (if there is this expired certificate). After next group policy refresh, expired certificate should be removed from clients.
Similar case for your reference: https://social.technet.microsoft.com/Forums/ie/en-US/48958ec4-330e-43df-9ecf-6d23a6c05b7b/how-to-remove-an-expired-certificate-from-a-rootca?forum=winserversecurity
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your reply and suggest.
I've tried both suggested option and still no luck, the expired certificate #0 still there and i still cannot renew certificate #1.
Hello,
Thank you so much for your kindly reply.
Have you tried to renew CA certificate with this command:
certutil -renewCert
Best regards,
Hannah Xiong
will this action will generate a new pair key ? actually i need this ca to sign a certificate to the existing outlookanywhere CSR, can i do that as normal as usual after that ?
Hello,
Since it is a little urgent, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business
Best regards,
Hannah Xiong
Ok, I decided to try to your -renewCert option, will let you know the result. Thanks for your help !
I appreciate your kind assistance.
certutil -renewcert reusekey failed, then i used your suggestion "certutil -renewcert" and successfully renew a expiring cert and also Completed my outlookanywhere CSR pending request, but it appear another issue :
Active Directory Certificate Services could not create cross certificate (2-1) to certify its own root certificates. The Certificate Policies extension is inconsistent. The certification authority's certificate contains invalid data. 0x80094005 (-2146877435).
thanks for your help !!
Regards,
Calvin
Hello Calvin,
You are welcome. Thank you so much for your kindly reply.
So glad to hear that we have successfully renewed the certificate. As for the new issue, please follow the link: http://technet.microsoft.com/en-us/library/dd299870(v=ws.10).aspx to troubleshoot this issue first.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
as the deadline is near ( cert will expired on 11.11.2020 17:38) and now our side is (11.11.2020. 14:38), I would like to ask can i build an another Enterprise CA server in another windows server and disable the existing CA Server from domain ? any impact will occur ?
Calvin