Problem renewing SubCA certificate with offline root
First, apologies if I've picked the wrong forum, I couldn't find an option specifically for PKI.My client has a public key infrastructure consisting of:Offline Root server (this server is NOT a member of the domain)Offline Intermediate server (This server is also not a member of the domain)Online Issuing server (this server IS a member of the domain).The certificate issued by the Intermediate server to the issuing server is due for renewal (but is not expired).On several occasions I and my colleagues have tried to renew the certificate, but each time we run in to errors.As I understand the process, I need to do the following (while the intermediate server is on the network and the certificate authority service is running:Using Certificateion Authority on the Issuing server:1 Select the CA node, and then click Action. Then click All Tasks and Stop Service.2 Click Action and then click All Tasks and Renew CA Certificate3 Click Yes to generate a new key set, click OK4 Type in the name of the parent CA in the Computer Name box5 Click OKHowever, the process fails on step 2.When I click on Renew CA Certificate I get the following error:The network path was not found. 0x80070035 (WIN32: 53)What could this possibly be refering to?It has been suggested to me that because the parent servers are not part of the domain, the Issuing server would not be able to reach them. I should then perhaps create a request and manually transfer it to the parent CA for approval. However, I have not been able to determine how to create a request without using the Renew CA Certificate option in Certification Authority.All help and questions welcome!Ben
October 6th, 2009 9:14am
Hi,
A possible cause could be that the registry entry “RequestFileName” in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA
Name> has an invalid path. Please check the value of the registry entry on the subCA and ensure that the path is accessible.
Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2009 12:22pm
The path in that location points to a share which does not exist. (CertConfig)
I've compared with my Intermediate server. On that server CertConfig points to c:\CAConfigOn the Issuing server, this folder does not exist.I can create the folder and the share, but what about the files it should contain? Is there a way to have them recreated or will I have to do this manually?From what I can see there should be three files - certsrv.bak (an empty file?) certsrv.txt (I think I could create that manually if I had to) and servername_ServerDisplayName(1).crtThe .crt file is the trickiest one - can I just copy this from somewhere else on the system?
October 8th, 2009 6:26am
Hi,
Please export the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA Name> to backup the registry key on the issuingCA, and follow the steps below to renew the CA certificate:
1. Change the value of the RequestFileName to c:\%1_%3%4.req.
2. Open Certification Authority console on the issuingCA.
3. Click Action and then click All Tasks and Renew CA Certificate.
4. Click Yes to generate a new key set, click OK.
5. In the CA Certificate Request page, you should see the message “If you want to send the request to an offline CA, click Cancel and send the request file at C:\ ServerDNSName_ CaName Cert_Suffix.req, click Cancel.
6. After that, you should see a .req file generated in C drive. You can submit the .req file to the offline CA to renew the CA certificate.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2009 11:49am
Your process got me further than before, but I am once again stuck.I followed the 6 steps above.I was then able to create the .req filetransfer it to the intermediate CAsubmit it using the web interfaceIssue the pending request using Certification Authority.mmcDownload the keychain from the web interfaceTransfer the p7b file to the issuing serverI then tried to install the certificate using the command "certutil.exe installcert CACertFile.p7b"However, I received a series of errors. I have not been able to repeat the errors because each time I submit that same command I now receive CertUtil: -installCert command FAILED: 0x8007139f (WIN32: 5023)CertUtil: The group or resource is not in the correct state to perform the requested operation.I tried repeating the process from the point of submitting the .req file using the web interface, but I still get the same error. I neglected to take screenshots of the errors as they appeared. I'm afraid further assistance is required.Additionally, when I view the issued certificate on the Intermediate CA, it has an expiry date only 1 year in the future. This certificate should last for 3 years, as per the original Issuing CA certificate. I'm obviously missing a step, how do I fix this? For reference, the Intermediate CA's certificate does not expire until 2016, so that is not the cause of the short certificate lifespan.I have retrieved the following from the application event log:
A certificate in the chain for CA certificate 0 for DoJ Corporate Issuing has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.However, this bit is clear enough - the validity period for the certificate doesn't start until tomorrow.
October 23rd, 2009 4:55am


