Remember a few pages back, when we configured the first CA server in our environment, the Enterprise Root? We left many of the default options in place, and that means that our root certificate is set automatically with a validity period of five years. This seems like a long time, but five years can flash by in an instant, especially if you have kids. So what happens when that root certificate finally does expire? Bad things happen. You will definitely want to keep track of the expiration date on your root certificates, and make sure to renew them before they expire!
We just built this new CA server, so we are not in danger of our root certificate expiring anytime soon. However, it is important to understand how to accomplish this task, so we are going to walk through the process of renewing the root authority certificate. We will accomplish this task right from our CA server itself.
To renew your CA's root certificate, take the following steps:
Your top-level root certificate is critical to the overall health of your PKI infrastructure. If this certificate expires, every single certificate that has ever been issued from your CA servers will immediately become invalid. Fortunately, renewing this root certificate is generally pretty easy. Simply follow our steps and you're back in business for another 5 or 10 years. When you renew the root authority certificate, it places the new copy of that certificate into Group Policy's Trusted Root Authorities location. All systems joined to a domain keep this list updated automatically through Group Policy so that whenever you add a new CA server or renew an existing root certificate, the new trusts associated with that new certificate are automatically distributed to all of your client machines and servers. Therefore, generally, all you have to do is renew the certificate and sit back and relax, because Group Policy will start pushing that new certificate into place all across your network.
However—and this is a BIG however—if you let your root authority certificate expire and you have issued certificates that are being used by clients and servers for network authentication, the root certificate expiry will cause those systems to no longer be connected to the network. You can easily renew the root certificate and get the backend up and running, but without having a valid way to authenticate to the network, your systems that are relying on a valid certificate to connect to that network will be dead in the water. You will need to figure out an alternative way to connect them to the network and update their Group Policy before they will learn how to trust the newly refreshed root authority certificate. This warning comes to mind for me because I just helped a company combat exactly this issue. Their root certificate expired, and they had whole offices, worth of people who were connecting to the data center and the domain solely through the DirectAccess remote connectivity technology. DirectAccess relies on certificates as part of its authentication process, so those remote systems were completely unable to communicate with the network once their root cert expired. We had to connect them to the network in a different way in order to pull down GPO settings and a new copy of the new root certificate before they could start connecting remotely again.
Moral of the story: make sure you mark your calendars to renew certificates BEFORE they expire!
3.17.187.119