20,213 questions
How can I renew an expired machine certificate on the Sub-CA server?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 71%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Carl Burch
216
Reputation points
We have our own PKI infastructure that consists of a stand-alone CA set up on Server 2019. Then the subordinate CA is set up on a domain joined member server 2019 machine. It seems the machine certificate on the Sub-CA has expired. Here's how I'm attempting to renew it.
- Run certlm.msc to open up the local computer store.
- navigate to Certificates - Local Computer > Personal > Certificates.
- Right-click the certificate and select All Tasks - Request Certificate with New Key.
- On the Certificate Enrollment window I click Next.
- I get "Enrollment error - An enrollment policy server can not be located"
In gpedit.msc on the Sub-CA machine I checked Computer Configuration > Windows Settings > Security Settings > Public Key Policies and the same path in User Configuration (if User Configuration matters here). The setting for Certificate Services Client - Certificate Enrollment Policy is set to not configured. Also, Certificate Services Client - Auto-Enrollment is enabled with no other check boxes selected.
I'd like to include a screen shot of the certificate itself as it appears in certlm.msc, but can't see any way to attach or include an image here. So here's the best I can do.
Issued to--------------------------- Issued by------------------------Expiration date-----Certificate Template
<machinename.domain.local> <sub-CA on same machine issued to> 1/3/2022 Machine
Windows for business | Windows Server | User experience | Other
Sign in to answer