Unable to renew Certificate - Event ID 22

Hi all,

I'm unable to renew a users Email Certificate - just getting error  0x800b0101 (-2146762495). 

Active Directory Certificate Services could not process request 19 due to an error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495).  The request was for E=alice.smart@aptest.com, CN=Alice Smart, CN=Users, DC=aptest, DC=com.  Additional information: Error Verifying Request Signature or Signing Certificate

The problem that I have is that my CA Certificate is VALID until 2019. The CA is up and running (green Checkmark Symbol next to the CA when opening the Snap In)

Any thoughts how to resolve this? Am I missing some cert which might have expired?

The only other thing I saw was that my DC did get some new machine certs (also hosting the CA) but that shouldn't be relevant in the end...

Also: C:\>certutil -urlfetch -verify C:\install\ca-cert.cer
Issuer:
    CN=aptest-CA
    DC=aptest
    DC=com
Subject:
    CN=aptest-CA
    DC=aptest
    DC=com
Cert Serial Number: 47204d031e13b683465b2a4fc880588e

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=aptest-CA, DC=aptest, DC=com
  NotBefore: 05.08.2014 14:06
  NotAfter: 05.08.2019 14:16
  Subject: CN=aptest-CA, DC=aptest, DC=com
  Serial: 47204d031e13b683465b2a4fc880588e
  10 82 07 bc 84 06 72 0d 19 44 3b b5 f5 71 ca f4 c2 fe ba ff
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  10 82 07 bc 84 06 72 0d 19 44 3b b5 f5 71 ca f4 c2 fe ba ff
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

Thx for helping!

BR
Dan


  • Edited by gongul Wednesday, August 19, 2015 12:15 PM
August 19th, 2015 12:11pm

Hi Dan,

Please check if this certificate has been expired.

We cannot renew a certificate that has already expired. If we try to renew a certificate that has expired, the certification authority (CA) will reject the request, and the error you mentioned above will occur.

For detailed information, please refer to the link below:

https://technet.microsoft.com/en-us/library/cc725583.aspx?f=255&MSPPError=-2147217396

Best Regards.

Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2015 9:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics