Configure CA to allow renewal of expired certificates
Hello All, I was wondering if there is a switch that can be toggled on a 2008 CA that will allow renewal of expired certificates. This is what I am seeing when attempting to renew a cert which was generated against the "Exchange Enrollment Agent (Offline Request)" certificate template: >certreq.exe -submit EEA.req EEA.cer Certificate not issued (Denied) Error Verifying Request Signature or Signing Certificate A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495) Maybe I'm not thinking this through from a security perspective, but that seems like a silly reason to deny renewal (especially since we've generated a new keypair).
November 14th, 2012 11:09am
The problem is that a renewal request is signed by the previous certificate. You cannot sign the request, because the previous certificate is expired. This is PKI 101 and cannot be changed. The only recourse is to request a new certificate and re-enter the subject information Brian
November 14th, 2012 11:11am
Thanks; this makes perfect sense.
November 16th, 2012 4:01pm