How to Extend Root CA and Sub CA Validation Period in Windows Server 2008 R2 Environment—Step by Step Guide

How Certificate Authority Check Validity:

image
Windows Server 2012 Step by Step

As a pre-caution backup CA, IIS and registry of certificate servers.

To Backup Certificate Authority

  1. Log on to the system as a Backup Operator or a Certification Authority Administrator.
  2. Open Certification Authority>click the name of the certification authority (CA).
    Certification Authority (Computer)/CA name
  3. On the Action menu, point to All Tasks, and click Backup CA.
  4. Click Next>Select Private and Certificate Database>Point Backup location>Click Next>Click Finish.

To restore certificate authority

  1. Log on to the system as a Backup Operator or a Certification Authority Administrator.
  2. Open Certification Authority>click the name of the certification authority (CA).
    Certification Authority (Computer)/CA name
  3. On the Action menu, point to All Tasks, and click Restore CA>Click Yes
  4. Click Next> Select Private and Certificate Database>Point Backed up CA DB location>Click Next>Click Finish.

How to Backup Windows Registry Key.. Follow these KB256986 and KB322756 article.

You can use the following command line to backup and restore IIS metabase. Backup should be used to back up the IIS Web content pages and the CA. Open Command Prompt as an administrator>Change Directory to %windir%system32inetsrv

To backup configuration, run the follow command:

appcmd.exe add backup “CABackupddmmyyyy”

To restore that backup, run this command:

appcmd.exe restore backup “CABackupddmmyyyy”

To extend validity period in Enterprise Root CA perform step1 to step4 on Enterprise Root CA Server

Step1: Open Command Prompt as an Administrator> type Following

certutil -getreg caValidityPeriod

certutil -getreg caValidityPeriodUnits

certutil –setreg caValidityPeriod Years

certutil -setreg caValidityPeriodUnits 10

Step2: Create a file using notepad.txt and rename the file as CAPolicy.inf .Copy the following into the file CAPolicy.inf and paste CAPolicy.inf file into C:Windows Folder

[Version]
Signature= “$Windows NT$”
[PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10

Step3: If you don’t want to renew Certificate Key then type the following command into command prompt

net stop certsvc
net start certsvc

If you want to renew key then skip step3 and follow step4

Step4:

1. To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

2. In the console tree, click the name of the certification authority (CA)> Select Certification Authority (Computer)/CA name

3. On the Action menu, point to All Tasks, and click Renew CA Certificate.

4. Do one of the following:

· If you want to generate a new public and private key pair for the certification authority’s certificate, click Yes.

· If you want to reuse the current public and private key pair for the certification authority’s certificate, click No.

5. Right Click Certification Authority (Computer)/CA name, Click Property> Click General Tab>Select Certificate #1>View Certificate>Check Expiry date as above mentioned CAPolicy.inf

To extend validity period in Enterprise subordinate CA Server perform step5 to step8 in SUB CA

Step5: Open Command Prompt in SUB CA and type the following and press enter

certutil -getreg caValidityPeriod

certutil -getreg caValidityPeriodUnits

certutil –setreg caValidityPeriod Years

certutil -setreg caValidityPeriodUnits 5

Step6: Create a file using notepad.txt and rename the file as CAPolicy.inf . Copy the following into the file CAPolicy.inf and paste CAPolicy.inf file into C:Windows Folder

[Version]
Signature= “$Windows NT$”
[PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=5

Step7:

If you don’t want to renew Certificate Key then type the following command into command prompt

net stop certsvc
net start certsvc

If you want to renew key then skip step7 and follow step8

Step8:

1. To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

2. In the console tree, click the name of the certification authority (CA)> Select Certification Authority (Computer)/CA name

3. On the Action menu, point to All Tasks, and click Renew CA Certificate.

4. Do one of the following:

· If you want to generate a new public and private key pair for the certification authority’s certificate, click Yes.

· If you want to reuse the current public and private key pair for the certification authority’s certificate, click No.

5. If a parent CA is available online

· Click Send the request directly to a CA already on the network.

· In Computer Name, type the name of the computer on which the parent CA is installed.

· In Parent CA, click the name of the parent CA.

6. If a Root CA is Offline or not a member of domain

· Click Save the request to a file.

· In Request file, type the path and file name of the file that will store the request.

· Obtain this subordinate CA’s certificate from the root CA.

7. Open Certification Authority>click the name of the CA. Certification Authority (Computer)/CA name

8. On the Action menu, point to All Tasks, and then click Install CA Certificate.

9. Locate the certificate file received from the parent certification authority, click this file, and then click Open.

10. Right Click Certification Authority (Computer)/CA name, Click Property> Click General Tab>Select Certificate #1>View Certificate>Check Expiry date as above mentioned CAPolicy.inf

Post renewal checks:

Check all the event logs in Root CA and Sub CA for any potential error related to the changes you made

If you have any gotcha and you have to restore a CA, the IIS metabase must also be restored if it has been damaged or lost. If a damaged or missing IIS metabase is not restored, IIS will fail to start, and that will result in Certificate Services Web pages (http://caservername/certsrv) failing to load. An alternative method is to recreate the IIS metabase and then use the certutil.exe -vroot command at a command line to reconfigure the IIS server to support the CA Web pages.

All Websites and Computer certificates issued by sub CA and Root CA are valid as long CA’s are valid and issued certificates aren’t expired.

Issue new certificate CRL using GPO to all computers and servers as you have changed root CA. Export Root CA CRL using http://caservername/certsrv . Click Download a CA Certificate, Click Download CA Certificate and Save in a location. Create new GPO or edit an existing GPO

  1. Open the Group Policy object (GPO) that you want to edit.
  2. Go to Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities
  3. In the console tree, click Trusted Root Certification Authorities.
  4. On the Action menu, point to All Tasks, and then click Import and point to the location where you saved CA certificate.
  5. Apply this GPO to designated computer and server OU.

 

 

 

Relevant Article:

An Overview of Active Directory Certificate Service

Active Directory Best Practice