Try this: http://technet.microsoft.com/en-us/library/cc780374%28v=ws.10%29.aspx
Kurt On Thu, Aug 15, 2013 at 11:42 AM, Ken Cornetet <[email protected]> wrote: > Speaking of CA server, I have a question: > > I am soon going to re-host my single tier CA from a server 2003 server to a > server 2008 r2 server. I've done this in our test environment, and it worked > just like the docs said it would. > > My question: is there any way to extend the expiration time of the master > certificate either when I do the migration, or afterward? I'm getting really > tired of all sorts of stuff breaking every few years when our oddball certs > expire. > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Tammy George > Sent: Thursday, August 15, 2013 2:21 PM > To: '[email protected]' > Subject: RE: [NTSysADM] Certificate Authority expiration/renewal > > Thanks for the responses. > > We have a single-tier CA and I'm renewing it tomorrow morning. Here's hoping > all goes well! > > - Tammy > > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: August-15-13 2:14 PM > To: [email protected] > Subject: Re: [NTSysADM] Certificate Authority expiration/renewal > > Are you using a single-tier CA, or a two-tier CA, or perhaps even a > three-tier CA? > > We have a two-tier CA, and this is the procedure I worked out: > > The root certificate doesn’t expire until 2016, but the CRL expires every 180 > days. > > o- Fire up the root CA - we use a 2008 R2 VM that's not joined to the domain > o- Log in with the local Administrator account > o- Start a command prompt (run as administrator) > o- cd to c:\windows\system32\certsrv\certentroll > o- issue the command "certutil -crl" (or use the GUI, as per > http://technet.microsoft.com/en-us/library/cc778151%28v=ws.10%29.aspx)) > o- verify that the date on the CRL file in your current directory has the > current date/time > o- map a drive to C$ (say, X:) on the issuing CA using your DA credentials > o- copy the above CRL file to X:\\windows\system32\certsrv\certentroll > o- shut down the root CA > o- log into the issuing CA with your DA credentials > o- issue the command "certutil -crl" (or use the GUI, as per > http://technet.microsoft.com/en-us/library/cc778151%28v=ws.10%29.aspx)) > > Set a reminder for 170 days - which gives you 10 days notice to renew. > > HTH, > > Kurt > > On Thu, Aug 15, 2013 at 7:50 AM, Tammy George <[email protected]> wrote: >> Hi all. >> >> >> >> Our Certificate server was setup by someone who is no longer here. >> The CA is due to expire so we’re looking at renewing it. I’ve found >> docs on renewing the CA >> (http://technet.microsoft.com/en-us/library/cc962077.aspx) >> which seem pretty straightforward. What I’m wondering is – when I >> renew this CA (ABC-CA), will the various certificates listed under >> ‘Certificates’ >> in the MMC also be renewed (i.e. the ones that are issued by ABC-CA)? >> >> >> >> Also, users’ issued certificates are due to expire on August 26 at 3pm. >> What will happen from a user’s prospective? >> >> >> >> Thanks much! >> >> - Tammy >> >> > >
