I just took over as the IT Admin at a company that had 4 different IT Admins in the last year. Needless to say things are a bit unorganized.

My domain has 3 controllers, but only one was set up as a certificate authority. My Enterprise PKI is in error all the way to the lowest level because the CA Certificate there is expired. However, the CA Certificate on the level above that is valid. Just to compound my problem, the personal certificates for the domain controller are all expired as well, both the Root CA and the subordinate. I can't create a new CA certificate because I don't have a valid CA to do it from. I can't renew the old because I don't have permission to do so because I have to do it from a valid Root CA, which I can't.

I had the CAPI2 log running when I restarted ADCS so I have a record of the errors, but I don't know how to proceed. What can I do in this situation?

Re-create the whole PKI hierarchy perhaps?

Re-create the whole PKI hierarchy perhaps?

• Proposed as answer by Alex LvMicrosoft contingent staff, Moderator 50 minutes ago

Josh H2

Unfortunately I have to tell you  we cannot renew a certificate that has already expired. Certificate must be renewed during its validity period, now you must rebuild your PKI hierarchy.

More related KB:

Renew an Existing Certificate Wizard Page

https://technet.microsoft.com/en-us/library/cc725583.aspx

Renew a Certificate

https://technet.microsoft.com/en-us/library/cc730605.aspx

Im glad to be of help to you!