This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 87%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENK%3C/text%3E%3C/svg%3E)
Setup: There are 2 CA Servers hosted on a Windows Failover Cluster having a shared storage, disks of which have been provided by ISCSI Storage. There is a separate CA Web Enrollment Server. IIS is installed on CA Servers for PKI. The Root CA is "Standalone Root CA".
Observation: There are 2 Certs on Ent_CA-Properties; The 1st Cert expired after 1 year and the second Cert's expiry is 5 Years, which is going to expire very soon. From one of the documents created by the old admin, we found that he renewed the cert with new key pair.
Issue: Now when we are trying to generate the CSR for Ent_CA, we are not getting the REQ file being generated.
When we enable debugging we found that the error points to the first certificate saying it is not within the time period etc. Basically it is not going past the 1st Cert.
If we try to renew the Cert with a new Key Pair we will get a REQ File but the problem is we can no longer use that option because we have recently Issued Smart Cards to users around 2-3 years before.
How to remove the Expired Cert from CA_Properties? Technically is it possible to remove Cert, Yes or NO? Some Articles say that it is not advisable to remove that old cert because CRL has that information in building the chain. For my understanding I want to know how to remove the expired cert from ENt_CA Properties.
The Microsoft Guy crashed the server while troubleshooting and we somehow managed to bring up the server.
How can we verify CRL Chain and see if everything is all right?
Under PKIVIEW.msc we see lot of Certs under NT Auth and don't exactly know why there are multiple certs expiring on the same date for the Ent_CA. Under Registry of CA Server, we see hash of two certs only, 1 is expired cert's and the other one is current Cert's hash.
Is there any powershell script which tests the health of the PKI and CRL and point us what exactly has been done wrong.
I can't understand why you want to remove previous CA certificate. It is not officially supported.
I want to remove because it is not letting me renew the certificate. It is not generating a CSR saying the cert is not within its validity period. I just wanted to know if it is technically possible, if yes, how. Anyways I will do this in LAB first and then in production.
Your assumption is not correct. Renewal request is signed only by the latest CA certificate and previous CA certs cannot affect this. As long as current CA certificate is valid, a CSR will be created. But if your current CA certificate is expired, then you will have to rebuild the CA from scratch.
If we try to renew the Cert with a new Key Pair we will get a REQ File but the problem is we can no longer use that option because we have recently Issued Smart Cards to users around 2-3 years before.
I don't get why you cannot use this request file. This has nothing to do with smart card certificates you have issued in the past. Moreover, these certificates are about to expire, thus you have to renew your CA with new key pair and then renew smart card certificates.
For argument sake, let's assume my assumption is wrong but then why did Microsoft Tech (Severity A case) couldn't solve the case. I did not knew that the culprit is expired cert. Only when I enabled the debugging, i read in the logs that the certificate is not within it's validity period error and it was pointing the Thumbprint of the expired cert. If you ask anyone why there is no option to remove the expired cert, they say it is used in building the CRL chain of the certificate and hence remove option is not listed directly. simple example is, if you remove the old certificate hash from the registry key then adcs service won't start.
The current cert is going to expire on 5/17/2022, so that is not an issue.
I even spoke to MS Tech saying why don't we renew with new key pair, he didn't advise to do so because of smart cards.
What I think is, the previous admin had generated many certs for the same name and not sure if each time he used new key pair or old key pair. i see these certs under pki view but on Ent CA Snapin i see only 2 certs, one expired and other current.
There should be some tool or PowerShell script which can identify if anything is missing in the chain or something like that. Check health of CA Servers and point out the correct problem.
I'm wondering if I have posted this question in the wrong forum or given the incorrect tagging, as I have not received any response or further questions or suggestions. I could not select any existing tag for pki, so selected something similar.
Posting as answer, because comments do not allow long responses, all quotes are based on OP comments:
why did Microsoft Tech (Severity A case) couldn't solve the case
I don't know, I don't work for Microsoft.
Only when I enabled the debugging, i read in the logs that the certificate is not within it's validity period error and it was pointing the Thumbprint of the expired cert.
in fact, it is normal behavior. When CA starts, it validates all its installed certificates and log into event viewer if any of them is not valid. However it doesn't mean that any action is required. CA will always sign its own renewal requests only using the most recent CA certificate, which is valid (as per your information). This means that your CA has a valid cert to sign the renewal request.
simple example is, if you remove the old certificate hash from the registry key then adcs service won't start.
that's right. And that's why I said that this operation is not supported by Microsoft, because there are hidden dependencies in CA database and there is no option to manage them. And having expired previous CA certs is not a problem. Here is one of my production CAs:
First certificate is expired, but it doesn't add any problems, because latest cert is ok.
I even spoke to MS Tech saying why don't we renew with new key pair, he didn't advise to do so because of smart cards.
they fooled you, unfortunately. I always against renewing CA cert with existing key pair, because it leads to ambiguous chains, when leaf cert's chain can be bound to older (expired) or newer (valid) root CA certs and chaining engine sometimes choose wrong chain and invalidate the certificate. Few proofs:
and this is the reason why I always recommend to renew with new key pair. New key pair results in an unambiguous single possible chain.
What I think is, the previous admin had generated many certs for the same name and not sure if each time he used new key pair or old key pair.
it is easy to track by analyzing "CA Version" extension of each CA certificate. If both numbers around the dot match, then new key pair was generated, if left-hand number is greater, then existing key pair was used.
Basically, you do not have a big problem since you are able to get renewal request for CA certificate. What you need to do is to submit request to parent CA, issue the certificate and install it on your CA. Since you have CA cluster, certificate must be installed on both nodes. This requires a little bit more frictions: when you install CA certificate to active node, backup CA certificates (using Backup CA option and choose only CA cert, without DB) and export CA certs in PFX format. Then import PFX on passive node. On a wizard page where you provide password to PFX check the option to mark private keys as exportable. It is essential part for CA certificate backup option.
