Having issues renewing Enterprise CA certificate

Julian Haines 0 Reputation points
2023-01-31T16:37:05.51+00:00

I have just renewed my Root CA certificate and having issues renewing my Enterprise CA certificate.

My setup is the Root CA is offline with online issuing CA server.

When I do the renewal nothing happens and I get the following in the Event logs.

I am renewing with the same private and public keys, would changing help or do I need to remove the exspired certificates first.

A certificate in the chain for CA certificate 1 for xxxx Enterprise CA has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495 CERT_E_EXPIRED).

A certificate in the chain for CA certificate 0 for xxxx Enterprise CA has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495 CERT_E_EXPIRED).

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,665 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,862 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. JimmySalian-2011 42,241 Reputation points
    2023-01-31T18:32:03.6766667+00:00

    Hi,

    It seems the Certificate is expired and you tried to renew it? I will request you to read this and request a generate a new Certificate instead of renewing expired certificate process. Also you will have to reissue the CRL and copy it to the issuing CA and other AIA and CDP locations as per the process.

    You cannot renew a certificate that has already expired. If you try to renew a certificate that has expired, the certification authority (CA) will reject the request, and you will see an error message similar to "Error Verifying Request Signature or Signing Certificate. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." This message will also be displayed in the Failed Requests node of the issuing CA. If your certificate has already expired, you must request a new certificate instead of renewing the existing certificate.

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725583(v=ws.11)?redirectedfrom=MSDN

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

  2. Limitless Technology 44,511 Reputation points
    2023-02-02T10:17:11.4733333+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.

    This error message is indicating that the root certificate authority (CA) for the certificate chain for "xxxx Enterprise CA" has expired. This means that the certificate is no longer considered trusted and secure, and is not valid for authentication or encryption. The system clock or the timestamp in the signed file indicates that the certificate has passed its validity period. To resolve this issue, the expired certificate must be updated or replaced with a new, valid certificate from the same root CA.

    In addition, the error messages you are encountering after renewing the Root CA certificate and attempting to renew the Enterprise CA certificate may be due to several reasons. Some common causes of this issue include:

    1. Improper configuration of the Certificate Authority hierarchy: Your Root CA certificate must be properly configured as the root of the CA hierarchy, with the Enterprise CA certificate as an intermediate CA.
    2. Incorrect certificate request: The renewal request for the Enterprise CA certificate must be generated correctly and with the correct information.
    3. Issuing CA is not able to reach the Root CA: If the issuing CA server is unable to reach the Root CA, it will not be able to renew the Enterprise CA certificate.
    4. Incorrect permissions on the Root CA: The issuing CA server must have sufficient permissions to access and renew the Enterprise CA certificate.

    To resolve this issue, you can try the following steps:

    1. Verify that the Root CA certificate is properly configured and reachable by the issuing CA server.
    2. Generate a new certificate request for the Enterprise CA certificate, ensuring that all required information is included.
    3. Check the permissions on the Root CA, and grant the issuing CA server sufficient access to renew the Enterprise CA certificate.
    4. Check the Event logs for additional information and error messages, which can help pinpoint the specific issue.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.