Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,797 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting in Q&A forum.
In Windows Server 2019, renewing a Certificate Authority (CA) certificate is an important maintenance task. Renewing a CA certificate ensures the trust and security of the certificate chain. Here are the detailed steps to renew your CA certificate, which can be renewed for a year or more.
Step 1: Back up the current CA configuration and certificates
Before renewing a CA certificate, it is recommended to back up the current CA configuration and certificates.
- Open the Certificate Authorities console.
- Right-click the CA name and select "All Tasks" -> "Backup CA".
- Follow the wizard to complete the backup and make sure to back up the CA certificate and key.
Step 2: Renew the CA certificate
- Open the Certificate Authorities console.
- Right-click on the CA name and select "All Tasks" -> "Renew CA Certificate".
- Select "Renew certificate with existing key" and click "Next".
- Specify a new validity period (e.g. one year or more) and click "Next".
- Follow the wizard to complete the renewal process.
Step 3: Confirm that the CA certificate has been successfully renewed
- Open the Certificate Authorities console.
- Right-click the CA name and select Properties.
- In the General tab, check the "Validity Period" and "Validity Period" to confirm that the certificate was successfully renewed.
Step 4: Publish a new CRL (Certificate Revocation List)
- Open the Certificate Authorities console.
- Right-click on "Issued Certificates" - > "All Tasks" - > "Publish".
- Select "New Certificate Revocation List (CRL)" and click "OK".
Step 5: Update the CA certificate template (optional)
If there are specific needs, the CA certificate template may need to be updated to reflect the new expiration date.
- Open the Certificate Templates console.
- Select the certificate template that needs to be updated, right-click and select Properties.
- In the Expiration dates tab, adjust the expiration date settings.
- Republish the updated template to the CA.
Example: Command Line to Renew a CA Certificate (Using Certutil)
You can use the command-line tool certutil to renew the CA certificate. Here's an example command:
cmdCopy codecertutil -renewCert <CAName> <ValidityPeriod>
• <CAName>: The name of the CA.
• <ValidityPeriod>: Expiration date, e.g. 365 for one year.
Backup: Before any operation, make sure you have backed up your CA configuration and certificates in case anything goes wrong.
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)