Renew Issuing/Subordinate CA Certificate

 

Had a customer recently who needed to renew their issuing CA certificate as it was due to expire , I’ve just wrote up some simple steps you can do to renew this certificate as there a few TechNet articles around this subject and they’re not totally clear on the process to do this.

Steps to Renew if Root CA is online

  • Log onto your Issuing CA and open the Certificate Authority MMC
  • Right click on your Issuing CA > All Tasks > Renew CA Certificate
  • Press Yes to Stop AD Certificate Services
  • Press No to Generate a new Public/Private Pair
  • Make Sure the Computer Name is the FQDN of your Issuing CA and select your Root CA as your Parent CA
  • Press Ok

  • Now go to your Root Ca and open the Certificate Authority MMC
  • Select pending requests and issue the Certificate renewal we requested earlier
  • Now go to issued certificates
  • Double click the certificate you have just issued and go the details tab
  • Select copy to file
  • Export the certificate as CER file and copy the certificate over to the Issuing CA
  • Now go back to your Issuing CA , Right click your CA > All Tasks > Install CA Certificate
  • Press Yes to Stop AD Certificate Services
  • Change the File Extension from P7B to CER and select your Certificate File

  • Press open and your Issuing Ca Cert should be renewed J

 

Steps to Renew if Root CA is offline

  • Log onto your Issuing CA and open the Certificate Authority MMC
  • Right click on your Issuing CA > All Tasks > Renew CA Certificate
  • Press Yes to Stop AD Certificate Services
  • Press No to Generate a new Public/Private Pair
  • Make Sure the Computer Name is the FQDN of your Issuing CA and select your Root CA as your Parent CA
  • Press Cancel

  • On the C drive now you should have a REQ file , copy this to your Root CA
  • Now go to your Root Ca and open the Certificate Authority MMC
  • Right Click you Root CA > All Tasks > Submit New Request
  • Select the REQ file we have just copied onto the Root CA and select OK
  • Now go to pending requests and issue the Certificate we just requested
  • Now go to issued certificates
  • Double click the certificate you have just issued and go the details tab
  • Select copy to file
  • Export the certificate as CER file and copy the certificate over to the Issuing CA
  • Now go back to your Issuing CA , Right click your CA > All Tasks > Install CA Certificate
  • Press Yes to Stop AD Certificate Services
  • Change the File Extension from P7B to CER and select your Certificate File

  • Press open and your Issuing Ca Cert should be renewed J

 

 

About the author