Speaking of CA server, I have a question: I am soon going to re-host my single tier CA from a server 2003 server to a server 2008 r2 server. I've done this in our test environment, and it worked just like the docs said it would.
My question: is there any way to extend the expiration time of the master certificate either when I do the migration, or afterward? I'm getting really tired of all sorts of stuff breaking every few years when our oddball certs expire. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tammy George Sent: Thursday, August 15, 2013 2:21 PM To: '[email protected]' Subject: RE: [NTSysADM] Certificate Authority expiration/renewal Thanks for the responses. We have a single-tier CA and I'm renewing it tomorrow morning. Here's hoping all goes well! - Tammy -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: August-15-13 2:14 PM To: [email protected] Subject: Re: [NTSysADM] Certificate Authority expiration/renewal Are you using a single-tier CA, or a two-tier CA, or perhaps even a three-tier CA? We have a two-tier CA, and this is the procedure I worked out: The root certificate doesn’t expire until 2016, but the CRL expires every 180 days. o- Fire up the root CA - we use a 2008 R2 VM that's not joined to the domain o- Log in with the local Administrator account o- Start a command prompt (run as administrator) o- cd to c:\windows\system32\certsrv\certentroll o- issue the command "certutil -crl" (or use the GUI, as per http://technet.microsoft.com/en-us/library/cc778151%28v=ws.10%29.aspx)) o- verify that the date on the CRL file in your current directory has the current date/time o- map a drive to C$ (say, X:) on the issuing CA using your DA credentials o- copy the above CRL file to X:\\windows\system32\certsrv\certentroll o- shut down the root CA o- log into the issuing CA with your DA credentials o- issue the command "certutil -crl" (or use the GUI, as per http://technet.microsoft.com/en-us/library/cc778151%28v=ws.10%29.aspx)) Set a reminder for 170 days - which gives you 10 days notice to renew. HTH, Kurt On Thu, Aug 15, 2013 at 7:50 AM, Tammy George <[email protected]> wrote: > Hi all. > > > > Our Certificate server was setup by someone who is no longer here. > The CA is due to expire so we’re looking at renewing it. I’ve found > docs on renewing the CA > (http://technet.microsoft.com/en-us/library/cc962077.aspx) > which seem pretty straightforward. What I’m wondering is – when I > renew this CA (ABC-CA), will the various certificates listed under > ‘Certificates’ > in the MMC also be renewed (i.e. the ones that are issued by ABC-CA)? > > > > Also, users’ issued certificates are due to expire on August 26 at 3pm. > What will happen from a user’s prospective? > > > > Thanks much! > > - Tammy > >
