How to Extend Root CA and Sub CA Validation Period in Windows Server 2008 R2 Environment—Step by Step Guide


How Certificate Authority Check Validity:

image
Windows Server 2012 Step by Step

As a pre-caution backup CA, IIS and registry of certificate servers.

To Backup Certificate Authority

  1. Log on to the system as a Backup Operator or a Certification Authority Administrator.
  2. Open Certification Authority>click the name of the certification authority (CA).
    Certification Authority (Computer)/CA name
  3. On the Action menu, point to All Tasks, and click Backup CA.
  4. Click Next>Select Private and Certificate Database>Point Backup location>Click Next>Click Finish.

To restore certificate authority

  1. Log on to the system as a Backup Operator or a Certification Authority Administrator.
  2. Open Certification Authority>click the name of the certification authority (CA).
    Certification Authority (Computer)/CA name
  3. On the Action menu, point to All Tasks, and click Restore CA>Click Yes
  4. Click Next> Select Private and Certificate Database>Point Backed up CA DB location>Click Next>Click Finish.

How to Backup Windows Registry Key.. Follow these KB256986 and KB322756 article.

You can use the following command line to backup and restore IIS metabase. Backup should be used to back up the IIS Web content pages and the CA. Open Command Prompt as an administrator>Change Directory to %windir%system32inetsrv

To backup configuration, run the follow command:

appcmd.exe add backup “CABackupddmmyyyy”

To restore that backup, run this command:

appcmd.exe restore backup “CABackupddmmyyyy”

To extend validity period in Enterprise Root CA perform step1 to step4 on Enterprise Root CA Server

Step1: Open Command Prompt as an Administrator> type Following

certutil -getreg caValidityPeriod

certutil -getreg caValidityPeriodUnits

certutil –setreg caValidityPeriod Years

certutil -setreg caValidityPeriodUnits 10

Step2: Create a file using notepad.txt and rename the file as CAPolicy.inf .Copy the following into the file CAPolicy.inf and paste CAPolicy.inf file into C:Windows Folder

[Version]
Signature= “$Windows NT$”
[PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10

Step3: If you don’t want to renew Certificate Key then type the following command into command prompt

net stop certsvc
net start certsvc

If you want to renew key then skip step3 and follow step4

Step4:

1. To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

2. In the console tree, click the name of the certification authority (CA)> Select Certification Authority (Computer)/CA name

3. On the Action menu, point to All Tasks, and click Renew CA Certificate.

4. Do one of the following:

· If you want to generate a new public and private key pair for the certification authority’s certificate, click Yes.

· If you want to reuse the current public and private key pair for the certification authority’s certificate, click No.

5. Right Click Certification Authority (Computer)/CA name, Click Property> Click General Tab>Select Certificate #1>View Certificate>Check Expiry date as above mentioned CAPolicy.inf

To extend validity period in Enterprise subordinate CA Server perform step5 to step8 in SUB CA

Step5: Open Command Prompt in SUB CA and type the following and press enter

certutil -getreg caValidityPeriod

certutil -getreg caValidityPeriodUnits

certutil –setreg caValidityPeriod Years

certutil -setreg caValidityPeriodUnits 5

Step6: Create a file using notepad.txt and rename the file as CAPolicy.inf . Copy the following into the file CAPolicy.inf and paste CAPolicy.inf file into C:Windows Folder

[Version]
Signature= “$Windows NT$”
[PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5

Step7:

If you don’t want to renew Certificate Key then type the following command into command prompt

net stop certsvc
net start certsvc

If you want to renew key then skip step7 and follow step8

Step8:

1. To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

2. In the console tree, click the name of the certification authority (CA)> Select Certification Authority (Computer)/CA name

3. On the Action menu, point to All Tasks, and click Renew CA Certificate.

4. Do one of the following:

· If you want to generate a new public and private key pair for the certification authority’s certificate, click Yes.

· If you want to reuse the current public and private key pair for the certification authority’s certificate, click No.

5. If a parent CA is available online

· Click Send the request directly to a CA already on the network.

· In Computer Name, type the name of the computer on which the parent CA is installed.

· In Parent CA, click the name of the parent CA.

6. If a Root CA is Offline or not a member of domain

· Click Save the request to a file.

· In Request file, type the path and file name of the file that will store the request.

· Obtain this subordinate CA’s certificate from the root CA.

7. Open Certification Authority>click the name of the CA. Certification Authority (Computer)/CA name

8. On the Action menu, point to All Tasks, and then click Install CA Certificate.

9. Locate the certificate file received from the parent certification authority, click this file, and then click Open.

10. Right Click Certification Authority (Computer)/CA name, Click Property> Click General Tab>Select Certificate #1>View Certificate>Check Expiry date as above mentioned CAPolicy.inf

Post renewal checks:

Check all the event logs in Root CA and Sub CA for any potential error related to the changes you made

If you have any gotcha and you have to restore a CA, the IIS metabase must also be restored if it has been damaged or lost. If a damaged or missing IIS metabase is not restored, IIS will fail to start, and that will result in Certificate Services Web pages (http://caservername/certsrv) failing to load. An alternative method is to recreate the IIS metabase and then use the certutil.exe -vroot command at a command line to reconfigure the IIS server to support the CA Web pages.

All Websites and Computer certificates issued by sub CA and Root CA are valid as long CA’s are valid and issued certificates aren’t expired.

Issue new certificate CRL using GPO to all computers and servers as you have changed root CA. Export Root CA CRL using http://caservername/certsrv . Click Download a CA Certificate, Click Download CA Certificate and Save in a location. Create new GPO or edit an existing GPO

  1. Open the Group Policy object (GPO) that you want to edit.
  2. Go to Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities
  3. In the console tree, click Trusted Root Certification Authorities.
  4. On the Action menu, point to All Tasks, and then click Import and point to the location where you saved CA certificate.
  5. Apply this GPO to designated computer and server OU.

 

 

 

Relevant Article:

An Overview of Active Directory Certificate Service

Active Directory Best Practice

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Identity and Access Management and tagged , , , , , , , . Bookmark the permalink.

One Response to How to Extend Root CA and Sub CA Validation Period in Windows Server 2008 R2 Environment—Step by Step Guide

  1. Pingback: Windows Server 2008 R2 Active Directory Certificate Services Deep Drive | Blog by Raihan Al-Beruni

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s