Expired machine cert on Sub-CA

Carl Burch 216 Reputation points
2022-02-10T04:28:12.977+00:00

I have a stand-alone CA and a network connected Sub-CA, each on Server 2019. On the Sub-CA it shows that the Sub-CA Computer (Machine) certificate is expired. I can't seem to find a way to renew this certificate. I would expect the ability to generate a CSR for renewal. But where? Here's the details on the Cert in question.
Issued to: (My Sub-CA Name here)
Issued by: My CA Name here)
Valid From: 1/3/2021 to 1/3/2022
The Certificate Template name is Machine.
Odd thing here is that under the Details tab for Extended Error Information it shows Revocation Status: OK, Effective Date, Wednesday Feb 9 2022 10:42:10PM, Next Update Friday February 11 2022 11:02:10AM.
Don't know if the extended error information matters here or what.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,085 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,341 Reputation points
    2022-02-11T10:00:13.637+00:00

    Hi there,

    You can try changing the expiration date of certificates that are issued by the Certificate Authority. By default, the lifetime of a certificate that is issued by a Stand-alone Certificate Authority CA is one year. After one year, the certificate expires and is not trusted for use. There may be situations when you have to override the default expiration date for certificates that are issued by an intermediate or an issuing CA.

    Here is a link for a detailed description of the process that you must follow.

    Change the expiration date of certificates that are issued by Certificate Authority
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/change-certificates-expiration-date

    ------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

  2. Carl Burch 216 Reputation points
    2022-02-13T06:33:33.157+00:00

    LimitlessTechnology-2700 what good does that do? I have an expired machine certificate that I need to either renew or replace. Changing what you mentioned only changes the time limits of future certs issued by the CA. It does absolutely nothing for a machine cert that is already expired. The template used for this is named "Computer" and that template is not available to me as a user. Attempts to manually renew the certificate just give me "An enrollment policy server can not be located" error.
    Maybe there other roles I need to install and configure? From what I've found in the last few hours, I note that the only installed roles for Certificate Authority is Certificate Authority, Certificate Authority Web Enrollment, and online responder. I'm wondering if I need to install one or more of the other roles and configure it. If so, knowing which roles to install and a link to step-by-step instructions (for dummies like me who know enough about PKI to be downright dangerous) whould probably solve my problem. Or maybe my thought process on this is wrong? LIke I said, I know enough about PKI to be dangerous. :)

    0 comments