Renew Certificate Authority

Certificate Authorities have a "window" of time they can issue certificates in, however when the CA (certificate authority) is outside this window which is based on the system clock you cannot issue certificates anymore as below:


To check the expiration date of the current CA certificate, launch the Certificate Authority MMC snap-in (certsrv.msc). From there, open the properties in the context menu of the CA, and under the General tab, you'll find a list of all the issued CA certificates.

This will show you that the certificate is expired or in this case expiring which in this case is the end of next year......



You can also confirm this pkiview.msc which will show you the same data but for all the certificate authoritys in the domain as below:


If you wish to renew for more than 5 years create a file called CaPolicy.inf and copy it to the location %SystemRoot% on the CA server and format it like this:

Note : in this example I have chosen 10 years and a key length of 2048 bits - if you require a less secure key length or time please update the file where relevant!


Then you need PowerShell to update the certificates on the CA, yes you can use a GUI but I prefer PowerShell and this is the command:

certutil -renewCert ReuseKeys
Restart-Service -Name Certsrv

You will then need to distribute this to Active Directory with this command, the <RootCACertificate-File> is the actual CER file from the CA:

certutil -f -dspublish <RootCACertificate-File> RootCA

All done, you now have a new certificate for 10 years validity.

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„