We have an offline RootCA which still has a valid certificate. Our subordinate issuing CA unfortunately expired before we renewed. How does one recover from this scenario? Windows Server 2016 environment.
Asked
Active
Viewed 1,264 times
2
-
just go through renewal process as normally. – Crypt32 Jun 15 '20 at 19:17
-
So this is Windows 2016 Core. When using remote mmc I'm not seeing an option for this. I'm presuming I'm going to need to do this via command line on the console somehow? – Jim Hankins Jun 15 '20 at 20:26
-
`certutil -renewcert` and then `cerutil -installcert` – Crypt32 Jun 15 '20 at 20:28
-
CertUtil: -renewCert command FAILED: 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE) CertUtil: The group or resource is not in the correct state to perform the requested operation. I'm presuming this is because it's expired? – Jim Hankins Jun 15 '20 at 21:18
-
I should add that the RootCA is an offline . – Jim Hankins Jun 15 '20 at 21:48
-
2Add `f` switch: `certutil -f -renewcert`. This command will generate a request which is placed in root directory of system drive. Submit the request to root CA, download the certificate and run `certutil -installcert`. – Crypt32 Jun 16 '20 at 06:30
1 Answers
2
As Crypt32 stated, the solution to this was simply to use certutil -f -renewcert but with reusekeys option. Then submit the request on the Offline CA, approve, export the cert to a file to be installed on the issuing CA.
Jim Hankins
- 141
- 7