ADCS Troubleshooting: Unable to renew the SubCA since the request file (.req) is not generated
Problem
When you don't see a request file generated on your SubCA and when you attempt to renew the SubCA certificate against the offline root CA.11
Unable to renew the SubCA certificate on the Issuing CA. It just jumps back to the CA console window.
Environment
You have stand alone offline CA.
You have many SubCA.
When you try to renew the CA, you see a key generated and you don't find a request file message.
Instead, if you try again you will see a prompt for a key already exists and prompts you to overwrite or reuse it.
Cause
- Either you are missing a request a file name path in the SubCA registry (Default e.g c:\1_%3%4.req).
- You are missing the folder specified in the registry of CA registry located under configuration or that registry key was deleted.
E.g: The folder you point "certreq" to might have deleted (c:\certreq\1_%3_%4.req).
When someone removes request files in the registry, it will take effect on CA. Restart and when you renew it would actually stop and start the CA. Which takes effect on the change.
Refer the picture of Procmon below:
View
You will see SubCA actually trying to create a file under the path and it would fails as either "Bad name path' or "Path not found".
If you go to registry of HKLM\SYSTEM\CCS\Services\Certsvc\Configuration\CA NAME>\ Look for "Request filename" string word.
Refer the below registry screenshot:
Resolution
You can see a request filename and its path. If it doesn't exist you can create one with a valid path (for example c:\ or c:\certReq).
Create a folder under C:\ drive as "CertReq". Now try to renew the CA cert. You will see a pop-up of request file generated to locate root CA.
Refer the screenshot below:
Happy learning!