Hi there, I'm a complete newbie on CA so please bear with me. Background: We used to have a Server 2003 with CA on it. This was done before I work here (my current boss has no clue as well). A few years later, we've upgraded all our servers to Server 2008, and backup/restore the CA from Server 2003 to Server 2008. Now, when I looked into my computer's certificate (through mmc), it listed our CA but it's expired (on 2009!): mmc > certificates (Local Computer or Current User) > Trusted Root Certification Authorities > Company Name under Certification path, it says: This certificate has expired or is not yet valid. Looking in the CA console, it still giving out certificates to computers and stuff. What went wrong here? I've seen this GPO settings: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment Do I need to configure this settings?Andrew P.

Look at CA properties. Most likely CA certificate was renewed and published to Active Directory.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

sure enough, looking at its properties on [General] tab shows me 2 CA certificates: Certificate #0 (expired) Certificate #1 --> this one still active til 2016! Looking at its [Storage] tab shows: Active Directory is grayed out but there's a checked mark in the box. Certificate database and Request log points to C:WINDOWS\system32\CertLog so we know that the CA DOES have a valid certificate. But then how do we push them out to the clients? I thought the Group Policy Settings supposed to automatically add the company CA as the trusted root?Andrew P.

CA automatically adds renewed certificate to Active Directory and forest clients automatically download and install it to Trusted Root CAs store. Normally there are no actions required.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks for that Vadim. turns out, I did a mistake. I've looked at a WRONG certificate all this time! I don't know how the person previously configured this thing but looking at the CA Server > mmc > certificate (either user or computer) console, there are numerous number of our company's certificate with slight variations! - short_company_name CA - full_company_name CA - The full_company_name - short_company_name - etc so long-story-short, I manage to identify the correct one but there are 2 of them. one of them has this "golden key" icon on it. I've compared both of them but there's no difference whatsoever. Should I be worried?Andrew P.

Those certificates exists on both servers and client computers. I couldn't find any GPO that push any certificates so it is safe to assume that they're all published in AD (I have no idea how to do this). I did a quick read on the link you posted and it seems to be the solution I need. But steps 6 and 7 on the instruction indicates that I want to delete the currently active Certificate Authorities: Step 6.1.2 - Type certutil ... the output shows 2 entries: - entry 0: "The company_name CA" --> points to a non-existent (old) server - entry 1: (Local) "The company_name" --> points to our current CA serverStep 6.1.3.dot#4 and above - In the right pane, right-click the CA object for your CA, click Delete ... Those containers ALSO contain CA names that don't exist on step 6.1.2 Step 7 it's pretty easy, I used the GUI (pkiview.msc) and find the same entries as the certutil so I can just remove the unwanted entry: "The company_name CA" 4 questions: Is it safe to assume that I can remove those unwanted CA entries regardless of the result from certutil?in AD Sites&Services > Services > Public Key Services > CDP > current_server, it has 2 entries: The company_name The company_name(1) The difference is that the USN for ...(1) is less current but created almost 2 years after the other one. should I delete one of them?will this "deletion" also propagates to the clients? or I need to clean +100 of them individually?do I need to set anything on this GPO settings? Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings Also, since the current data on the current Windows 2008 CA server was a restored backup from a Windows Server 2003 CA, do we need to do any kind of updating for the certificate template, deployment, etc? (and god knows where server 2003 got its data from) If this is an entirely different subject from my original post, I'll post it on a new thread. I apologize for the series of questions. I've spent a total of +15 hour reading this CA thing but nothing makes any sense. I think we've done this in a very wrong way from the very beginning with no one documenting anything.Andrew P.

Thank you so much for your help on this! I've run Step 6+7 as you advised and a few minutes later I've seen the certificates cleared up on my pc after issuing gpupdate /force command. I've also removed a timed out company certificate from here: pkiview.msc > right-click Enterprise PKI > Manage AD Containers > NTAuthCertificates tab maybe it's related, but looking at the properties page of CA still shows the Certificate#0 (expired). Should I be worried? Andrew P.

> Should I be worried? no. This is ok.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki