What to do when your root certificate authority has already expired?

fhqwh gads 21 Reputation points
2021-07-20T18:44:54.867+00:00

I've made it a habit to back up my two enterprise root CAs every 6 months, as well as renew their certificates (they have--or had--a 1-year exipry, which I have now changed). For some mysterious reason--maybe I saw something shiny--i did manage to back up one of these CAs but did NOT renew the certificate.

So, what do I do? I cannot renew the CA's cert because the CA's cert is expired.

Much thanks!

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,837 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,121 Reputation points MVP
    2021-07-20T20:30:18.437+00:00

    What to do when your root certificate authority has already expired?

    I decommission this CA, because it is no longer in use. When CA certificate expires, all certificates down the chain are expired as well. Since you unlikely have other issues than expired root CA, then your CA has no use. Just decommission it: https://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx

    BTW, 1yr root CA? Really?


1 additional answer

Sort by: Most helpful
  1. Evgenij Smirnov 541 Reputation points
    2021-07-20T20:02:33.573+00:00

    Hi,

    one solution could be setting the CA's clock backwards and renewing the cert. Or you just create a new CA cert asnd republish the CA.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.