Renewing your root certificate

Remember a few pages back, when we configured the first CA server in our environment, the Enterprise Root? We left many of the default options in place, and that means that our root certificate is set automatically with a validity period of five years. This seems like a long time, but five years can flash by in an instant, especially if you have kids. So what happens when that root certificate finally does expire? Bad things happen. You will definitely want to keep track of the expiration date on your root certificates, and make sure to renew them before they expire!

Getting ready

We just built this new CA server, so we are not in danger of our root certificate expiring anytime soon. However, it is important to understand how to accomplish this task, so we are going to walk through the process of renewing the root authority certificate. We will accomplish this task right from our CA server itself.

How to do it…

To renew your CA's root certificate, take the following steps:

  1. Log into the Enterprise Root CA server and open the Certification Authority management console.
  2. Right-click on the name of your CA, navigate to All Tasks and then choose Renew CA Certificate...

    How to do it…

    Tip

    If you haven't stopped ADCS during this process, you will be prompted to do so. Go ahead and click Yes in order to stop the certificate processes temporarily.

  3. On the Renew CA Certificate screen, you only have one option to worry about. You need to choose whether you want to generate a new key pair for the new root certificate or re-use the existing one. If you have published many certificates from this CA, it is generally easier to say No to this and let it re-use the existing key pair. As you can see on the screen, there are some situations where you would want to choose Yes and create a new key pair, so the correct answer to this question is going to depend on your situation and your needs.

    How to do it…

  4. Click OK, and the new root certificate is immediately created and starts being distributed via Group Policy.

How it works…

Your top-level root certificate is critical to the overall health of your PKI infrastructure. If this certificate expires, every single certificate that has ever been issued from your CA servers will immediately become invalid. Fortunately, renewing this root certificate is generally pretty easy. Simply follow our steps and you're back in business for another 5 or 10 years. When you renew the root authority certificate, it places the new copy of that certificate into Group Policy's Trusted Root Authorities location. All systems joined to a domain keep this list updated automatically through Group Policy so that whenever you add a new CA server or renew an existing root certificate, the new trusts associated with that new certificate are automatically distributed to all of your client machines and servers. Therefore, generally, all you have to do is renew the certificate and sit back and relax, because Group Policy will start pushing that new certificate into place all across your network.

However—and this is a BIG however—if you let your root authority certificate expire and you have issued certificates that are being used by clients and servers for network authentication, the root certificate expiry will cause those systems to no longer be connected to the network. You can easily renew the root certificate and get the backend up and running, but without having a valid way to authenticate to the network, your systems that are relying on a valid certificate to connect to that network will be dead in the water. You will need to figure out an alternative way to connect them to the network and update their Group Policy before they will learn how to trust the newly refreshed root authority certificate. This warning comes to mind for me because I just helped a company combat exactly this issue. Their root certificate expired, and they had whole offices, worth of people who were connecting to the data center and the domain solely through the DirectAccess remote connectivity technology. DirectAccess relies on certificates as part of its authentication process, so those remote systems were completely unable to communicate with the network once their root cert expired. We had to connect them to the network in a different way in order to pull down GPO settings and a new copy of the new root certificate before they could start connecting remotely again.

Moral of the story: make sure you mark your calendars to renew certificates BEFORE they expire!

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.149.231.97