Hey Guys, I've inherit a massive mess of CA server, anyways I've just noticed that basically every certificate is set to expire today and every time I try and request a new certificate I get the following entries in the 'Failed Requests' Folder in CA.. 'The certificate template renewal period is longer than the validity period. The template should be reconfigured or the CA certificate renewed.' Now, when I go into the properties of the CA and have look at the General Tab and have a look at the CA root certificate, it was issued to Ball-DW-SVR (current CA server) issued from Ball-Svr05 (No idea what this server used to be, but its defiently not an active server now) and the expiry date is the today. Therefore, I guess the biggest issue is that root CA is expiring today, hence thats why I cant issue any other certificates. Now my problem is, I dont know how to get a new root CA, as from the info above, it looks like the current CA thinks that Ball-Svr05 is the master CA (even though the server no loner exists.) Does anyone know who I can completely remove all traces of this Ball-Svr05 from CA and get a new root certificate installed

You are in a tear down and redeploy at this time (sorry for the bad news). The CA you are looking at is not a root CA, but is a subordinate CA, and if it is an MS CA it also expired today. Someone decommissioned the root CA without reconfiguring the PKI. 1) You will have to create a new root CA 2) If the subordinate CA certificate has not expired, you will be able to renew the subCA with the new root CA. In all likelihood, you will have to create a new root CA, a new subordinate CA and redeploy all issued certificates. You do not really have to worry about replacing any certificates that are valid, as all certificates are time invalid after today Sorry for the bad news Brian

No don't be sorry, i figured that is was a complete mess and it would probably be a lot easier and faster to tear it down and start fresh.. And least this way i can stop searching on trying to find a way to fix it... From the looks of it Ball-svr05 (root Ca expires in 2013) the current live CA (ball-dw-svr - expires today) so it looks like I cant renew the subCA Anyways, Now I would like to keep the CA on the same server, Therefore:- 1. Can i simply remove the CA role from the server 2. Make sure it's removed from the AD sites and servers in the Public Key Services. (i've removed the other non existant CA's from there.. 5 in total) 3. Simply reinstall the CA role onto the server and then create the certificate templates I'd created before hand? Is there anything else that I should look in to make sure that theres no remidance of any other old CA?

Quick question... When I run the 'certutil -key' command I cant seem to find and entry for the private root key. I get the following return, do I need to go through adsiedit.msc to remove it all? C:\certutil -key Microsoft Strong Cryptographic Provider: iisConfigurationKey 6de9cb26d2b98c01ec4e9e8b34824aa2_3b12e707-0127-4fba-ad5a-cc5705f4bf7f AT_KEYEXCHANGE iisWasKey 76944fb33636aeddb9590521c2e8815a_3b12e707-0127-4fba-ad5a-cc5705f4bf7f AT_KEYEXCHANGE MS IIS DCOM Server 7a436fe806e483969f48a894af2fe9a1_3b12e707-0127-4fba-ad5a-cc5705f4bf7f AT_KEYEXCHANGE, AT_SIGNATURE Microsoft Internet Information Server c2319c42033a5ca7f44e731bfd3fa2b5_3b12e707-0127-4fba-ad5a-cc5705f4bf7f AT_KEYEXCHANGE, AT_SIGNATURE NetFrameworkConfigurationKey d6d986f09a1ee04e24c949879fdb506c_3b12e707-0127-4fba-ad5a-cc5705f4bf7f AT_KEYEXCHANGE TSSecKeySet1 f686aace6942fb7f7ceb231212eef4a4_3b12e707-0127-4fba-ad5a-cc5705f4bf7f AT_KEYEXCHANGE