Hi there I am trying to renew a subordinate CA certifcate to an offline parent CA. My enviroment is Windows 2008 R2 I have a 3 Tier PKI Enviroment, I am trying to renew the certificate in my bottom Tier, the Root and Policy CA are offline. I'm using this guide http://technet.microsoft.com/en-us/library/cc776691(WS.10).aspx Within the Guide, section Using the Windows interface I get to step 5 where I choose to reuse my keys or not Either way I never get the option to either Send the request directly to a CA already on the network. or Save the request to a file. Am I missing something? is renewal certifcate request stored inside the database? is it something I can retire and then submit it manually Thanks for your help Gary

you don't get this dialog window, because (obviously) there are no other Enterprise CAs. When you press Renew CA Certificate and choose keys (existing or new) request file is saved in the %systemdrove% root (by default C:\<long name>.req). You need to submit this request to required issuer.http://en-us.sysadmins.lv

Hi, How's everything going? Please do not hesitate to respond back if you need further assistance. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I am also experiencing the same problem. I am running a Windows 2008 R2 Enterprise Subordinate CA that was issued by an offline Root CA. I am never prompted to save the request, nor does a request file appar in the root of the System drive. I am looking to renew this soon. I tried certutil -renewCert, but it returns this: CertUtil: -renewCert command FAILED: 0x80070015 (WIN32: 21) CertUtil: The device is not ready. Any help would be appreciated.

> CertUtil: -renewCert command FAILED: 0x80070015 (WIN32: 21) > CertUtil: The device is not ready. check for default CA request location: certutil -getreg ca\requestfilenamehttp://en-us.sysadmins.lv

Thanks! That solved it. I had migrated the CA from a Windows 2003 server in which I imported all the registry settings from (per Microsoft's documentation for CA migration). The requestfilename path was to a drive that does not exist on the new server. I corrected the path in the registry and the Certificate Services MMC now prompts for a parent CA or to save the file in the location specified in the registry. Thank you very much.