Problem with DC serving up an expired KDC certificate for ldaps to clients

Lab Coat1 6 Reputation points
2023-03-24T17:16:30.3066667+00:00

I have two DCs with KDC certificates that expired last month. They have been renewed.

But the DC still appears to be providing the expired one to clients. DC has been rebooted since the renewal

Windows 2012R2

Expired certificate does not show up in the DCs personal certificate store.

Expired certificate is still listed in the CA, along with the renewed certificates.

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,534 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,929 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Lab Coat1 6 Reputation points
    2023-03-27T18:25:07.17+00:00

    thanks for the comment.

    Just to be clear.

    The certificate expired on 2/26.

    Went into certificate manager on the server, and requested a new certificate from the CA using the appropriate template.

    Then deleted the certificate from Local Computer, Personal, Certificates on the server.

    New certificate shows up in the CA, and the server now. But running a test using "openssl s_client" continues to return the expired certificate.

    Old expired certificate has not been revoked from the CA, so is still present there, but not on the server.

    Did we miss a step or take a wrong one here?

    0 comments