4

I went ahead and renewed the Certificate Authority itself (right click the CA, all tasks, renew), using the same public/private keys.

Do I need to do anything else to make sure things don't start to fail new week?

Will the certificates set to expire such as domain controller certificates, web server certificates, CA Exchange, etc. auto-renew on that original date or do I need to do something now to make sure everything still works come next week?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
TheCleaner
  • 32,627
  • 26
  • 132
  • 191

1 Answers1

6

If you manually published the cert to any web sites, or into any policies, then you need to re-publish the cert to those locations so the CA cert gets updated on the clients.

Will the certificates set to expire such as domain controller certificates, web server certificates, CA Exchange, etc. auto-renew on that original date or do I need to do something now to make sure everything still works come next week?

They are probably all close to expiring soon, since Windows will not allow you to sign a cert so that it will expire later then the CA cert expires.

If auto-renewal was already setup and working, then any system that got a cert automatically should should start request and get a new cert automatically.

Any certs you manually issued, will probably have to be manually renewed.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • was I right to manually renew the CA? I don't recall doing it back in 2007 at all (the old cert said 2/27/07 to 2/27/12). By default, do the templated certs like Computer, Domain Controller Authentication, Workstation Authentication, etc. auto-renew once the 27th rolls around? Should I open a ticket with Microsoft to have them look it over just to be sure? I don't want to deal with an entire company being down next week. – TheCleaner Feb 24 '12 at 21:21
  • 2
    @TheCleaner Do some spot-checking to verify that the clients are trusting the new cert from their automatic domain trust, make sure that any AIA locations on the cert have the new one, and do what you can to make sure that you've trusted the new cert everywhere that the old cert's trusted if it was done manually. The existing certs will autorenew on the same schedule that they were doing previously; they might be doing it already. I believe a manual renewal is always required for the root. – Shane Madden Feb 24 '12 at 21:26
  • 1
    The renewal period is set in the templates. I don't remember the exact setting, or have a reference, but assuming default settings I am pretty sure they will start trying to renew about 8 days before before they expire. – Zoredache Feb 24 '12 at 21:28
  • @Shane - I don't know how to do what you are stating in the spot check or what AIA locations are. – TheCleaner Feb 24 '12 at 21:49
  • Check and make sure that your domain clients have updated the certificate in the trusted roots; this should be automatic for clients on an active directory domain. Also, if anyone's imported the certificate manually (say, for instance, a Linux web server that trusts the root certificate for client authentication, or presents it in a certificate chain? A piece of third party software that makes an LDAPS connection to the domain controllers?), then you'll need to find and manually update those - unless those systems don't pay attention to expiration on the root. – Shane Madden Feb 24 '12 at 22:20
  • FYI, it appears everything worked well today, not sure if I even had to manually renew the CA cert, but the DC's, etc. all auto-renewed. Thanks for your help and assurances on this, both of you. – TheCleaner Feb 27 '12 at 17:19