Certificate Authority expired company CA
Hi there,
I'm a complete newbie on CA so please bear with me.
Background:
We used to have a Server 2003 with CA on it.
This was done before I work here (my current boss has no clue as well).
A few years later, we've upgraded all our servers to Server 2008, and backup/restore the CA from Server 2003 to Server 2008.
Now, when I looked into my computer's certificate (through mmc), it listed our CA but it's expired (on 2009!):
mmc > certificates (Local Computer or Current User) > Trusted Root Certification Authorities > Company Name
under Certification path, it says: This certificate has expired or is not yet valid.
Looking in the CA console, it still giving out certificates to computers and stuff.
What went wrong here?
I've seen this GPO settings:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
Do I need to configure this settings?Andrew P.
April 26th, 2012 10:20am
Look at CA properties. Most likely CA certificate was renewed and published to Active Directory.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2012 1:43am
sure enough, looking at its properties on [General] tab shows me 2 CA certificates:
Certificate #0 (expired)
Certificate #1 --> this one still active til 2016!
Looking at its [Storage] tab shows:
Active Directory is grayed out but there's a checked mark in the box.
Certificate database and Request log points to C:WINDOWS\system32\CertLog
so we know that the CA DOES have a valid certificate.
But then how do we push them out to the clients?
I thought the Group Policy Settings supposed to automatically add the company CA as the trusted root?Andrew P.
April 27th, 2012 2:02am
CA automatically adds renewed certificate to Active Directory and forest clients automatically download and install it to Trusted Root CAs store. Normally there are no actions required.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2012 2:30am
Thanks for that Vadim.
turns out, I did a mistake. I've looked at a WRONG certificate all this time!
I don't know how the person previously configured this thing but looking at the
CA Server > mmc > certificate (either user or computer) console, there are numerous number of our company's certificate with slight variations!
- short_company_name CA
- full_company_name CA
- The full_company_name
- short_company_name
- etc
so long-story-short, I manage to identify the correct one but there are 2 of them.
one of them has this "golden key" icon on it.
I've compared both of them but there's no difference whatsoever.
Should I be worried?Andrew P.
April 27th, 2012 5:04am
Those certificates exists on both servers and client computers. I couldn't find any GPO that push any certificates so it is safe to assume that they're all published in AD (I have no idea how to do this).
I did a quick read on the link you posted and it seems to be the solution I need.
But steps 6 and 7 on the instruction indicates that I want to delete the currently active Certificate Authorities:
Step 6.1.2 - Type
certutil ...
the output shows 2 entries:
- entry 0: "The company_name CA" --> points to a non-existent (old) server
- entry 1: (Local) "The company_name" --> points to our
current CA serverStep 6.1.3.dot#4 and above - In the right pane, right-click the CA object for your CA, click Delete ...
Those containers ALSO contain CA names that don't exist on step 6.1.2
Step 7
it's pretty easy, I used the GUI (pkiview.msc) and find the same entries as the
certutil
so I can just remove the unwanted entry: "The company_name
CA"
4 questions:
Is it safe to assume that I can remove those unwanted CA entries regardless of the result from
certutil?in AD Sites&Services > Services > Public Key Services > CDP >
current_server, it has 2 entries:
The company_name
The company_name(1)
The difference is that the USN for ...(1) is less current but created almost 2 years after the other one.
should I delete one of them?will this "deletion" also propagates to the clients? or I need to clean +100 of them individually?do I need to set anything on this GPO settings?
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings
Also, since the current data on the current Windows 2008 CA server was a restored backup from a Windows Server 2003 CA, do we need to do any kind of updating for the certificate template, deployment, etc?
(and god knows where server 2003 got its data from)
If this is an entirely different subject from my original post, I'll post it on a new thread.
I apologize for the series of questions. I've spent a total of +15 hour reading this CA thing but nothing makes any sense. I think we've done this in a very wrong way from the very beginning with no one documenting anything.Andrew P.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2012 10:28am
Thank you so much for your help on this!
I've run Step 6+7 as you advised and a few minutes later I've seen the certificates cleared up on my pc after issuing
gpupdate /force command.
I've also removed a timed out company certificate from here:
pkiview.msc > right-click Enterprise PKI > Manage AD Containers > NTAuthCertificates
tab
maybe it's related, but looking at the properties page of CA still shows the
Certificate#0 (expired).
Should I be worried?
Andrew P.
April 28th, 2012 4:26am
> Should I be worried?
no. This is ok.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2012 5:07am