Standone Root CA - Cert renewal

Umaish Nair 1 Reputation point
2021-01-04T22:27:19.687+00:00

I have a root CA and the certificate has to be renewed.

  1. Right clicked on Root CA -> Properties
  2. Under general I see two certificates
  • Certificate #0
  • Certificate #1

Certificate #0

  • Issued y the ROOT CA to the Root CA
  • Valid from 1-5-2018 to 1-5-2021
  • CA Version V0.0

Certificate #1

  • Issued y the ROOT CA to the Root CA
  • Valid from 1-5-2018 to 1-5-2023
  • CA Version V1.0

So why do I see two certificats with overlaping certificates. Show I renew the Root CA cert or not as I see Cert 1 which has validity untill 2023.

Your assistane is much appreciated.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,850 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,341 Reputation points Microsoft Vendor
    2021-01-05T01:25:16.357+00:00

    Hi,

    It seems that the ca certificate was renewed at 1-5-2018 .
    And before renewed the root CA certificated , the CA certificate validity period was changed from 3 years to 5 years.
    Please make sure that by confirm the information :
    [certsrv_server]
    RenewalValidityPeriodUnits = 5
    RenewalValidityPeriod = years in the CAPolicy.inf file in system root folder (by default C:\Windows).

    If so , no need to renew the CA certificate.

    Best Regards,


  2. Fan Fan 15,341 Reputation points Microsoft Vendor
    2021-01-06T02:40:52.117+00:00

    Hi,

    The caPolicy.inf may be deleted or not used in your situation.
    If there is no capolicy.inf file, when you renew the ca certificated , your root CA certificate is valid for 5 years (default).
    You can also check the default Validity Period in the CA Registry by using the command:

    Open Admin CMD on the CA server and type certutil -getreg ca,
    and check the ValidityPeriodUnits as following:
    53855-1063.jpg

    Best Regards,

    0 comments No comments

  3. Umaish Nair 1 Reputation point
    2021-01-07T17:24:15.08+00:00

    Thank you for the response.

    I checked the CA

    ValidityPeriod REG_SZ = Years
    ValidityPeriodUnits REG_DWORD = 2

    So does this mean , that the defaul validaity is only 2 years. However, I have 2 cert (0 = 3 yrs and 1 = 5 yrs)

    Regards


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.