You missed your opportunity. You cannot renew an expired certificate as the request is signed by the previous certificate (which is now expired). You will have to manually enroll for all expired certificates. Start at the CA and make sure that all certificates it uses are time valid Brian

Adnan, Here's the results from pkiview.msc. I've included two views. In the first I can see that the CA cert is OK, but that the Sub CA cert is not. In the second view I can see that the Sub CA cert is expired (which I know). I've checked the certificates.msc snap-in. In this I can see that I have a time valid cert issued by the CA to the Sub CA. So it seems to me that when I installed the new cert for the Sub CA the PKI did not get updated. Do you agree, and if so what do I do to correct this? Thanks for your help, Iain

Brian, I though that I had now missed the opportunity to renew the certificates, and have now to issue new ones. The problem I face is that when I try to request a new certificate from one of my domain servers using the certificates.msc snap-in there are no templates so I cannot complete the request. If I try using certreq then I can create the .req file, but when I submit this I get the error message in my first post. And advice or tips will be greatly appreciated. Regards, Iain

You have not solved your problem. Your PKI is setup very poorly. Based on your screen shots 1) You are using only file URLs on the root CA. This is not supported, so no clients will be able to validate the certificate status of the subordinate CA. 2) The subordinate CA certificate expired on Nov 16, 2011 and cannot issue certificates 3) You have implemented a hard coded CRL name and have not included variables to allow for certificate renewal or delta CRL names for the HTTP URLs. 4) You have malformed HTTP URLs using netBIOS names, not DNS names 5) You have not published the subCA certificate to either AD or to the HTTP publication site Your PKI is hosed. Brian

The answer is that I had missed out installing the new cert as the CA Certificate. To explain a bit more. Once I had the new Sub CA cert issued by the root CA I installed that into the personal store of the Sub-CA (using the certificates MMC snap-in for the local machine, i.e. the Sub CA). I then experienced the problems above. The step I missed was to use the Certificate Authority MMC snap-in, select the Sub CA and using the right mouse menu select "All Tasks" -> "Install CA Cert" and then install the new Sub CA cert. Once this was done the other servers on my network could see the templates and could automatically obtain new certs. It took a while (over night) for the status reported in pkiview.msc to catchup. So I consider my problem solved.

Situation: I have a standalone offline CA running on a Server 2008 R2. I have a Sub CA also running on a Server 2008 R2 that is part of a domain (the DCs for the domain are separate machines). The Sub CA has one cert issued from the CA, and has a self issued cert ("Issued To" the server using the FQDN and "Issued By" the server). The Sub CA has issued certs to both users and computers (servers and workstations) in the domain. Both certificates were due to expire. Before the expiry date I managed to request a renewal of the cert issued by the CA to the Sub CA, however due to other demands on my time did not get to the other certs. Consequently the self issued cert (on the Sub CA) and all the certs issued by the Sub CA have now expired and the automatically generated request to renew fail with an error saying that: "Certificate Request Processor: Error Parsing Request A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)" If I try to request a new certificate on one of the domain servers using the MMC snap-in then no templates are available. Yet if I try a request as a domain user then the expected templates are present, however the request fails with the error above. I've tried the advice in http://support.microsoft.com/kb/931351, and have successfully generated the request, but the "certreq -submit" command fails with the above error. If I try to generate a new certificate request on the Sub CA for its self issued cert using the MMC snap-in, then I face the same problem as other servers: no available templates. I'm at a loss as to why there are no available templates so any advice would be greatly appreciated, and how can I identify which cert the error message is referring to? Also, I am a bit mystified by the example “request.inf” given in the above URL as the “subject” field is the FQDN of the DC, yet the name of the machine requesting the cert is not specified. And one last question: the instructions say that if the CA is standalone (which it is in my case), then you can’t specify a template. My expired certs do use templates, so how can I generate a cert request that uses a template?

BTW, your root CA is configured with only file:// URLs, which are no longer supported for certificate and CRL retrieval.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Can you share screen shots from the Certificate Templates container on the SubCA. Plus run pkiview.msc from the subca and share the results.Blog Link: http://blogs.cyquent.ae | Follow us on Twitter: @cyquent | ADRMS Wiki Portal: Technet Wiki