Recertifying a certificate on a ADCS server


If you have a Windows Certificate Authority (ADCS) and you need to re-certify the certificate as its getting close to expiry (the default is 5 years) then you need to complete the following actions:

  1. Run certsrv.msc
  2. Right click on CA name > All Tasks > Renew CA Certificate > Choose Yes to stop CA service> Choose the relevant option about key renewal then click OK
  3. If the ADCS is domain joined it will automatically be published its updates to  AD

Command Line Warrior

If you would rather do this from the command line, I get that, and these are the commands, remember run one of the other not both of you will recertify you CA twice!

Recertify CA with a new key : certutil -renewCert
Recertify CA with a current key : certutil -renewCert ReuseKeys

Process will Stop and Start ADCS

While the recertify occurs the ADCS service will stop, then give you the renew key options below, then it will start itself.

Renew CA key?

When you do this you will be asked if you would like to generate a new public and private key, if you are extending the certificate length only then you can say yes to this option as below:


Note : If you use certificate pinning then would may wish to say no to a new key, if you say yes then you will need to manually update all your pinned certificates so if this is a factor choose "no"

Offline CA

If you CA is offline then you will need to manually run this command to register the CA is ADDS and this is it:

certutil.exe -f -dspublish newrootcert.cer RootCA

Replace the "newrootca.cer" with the actual certificate you can get from the CA, the rest of the command is still valid.

Renewed and all good?


Well this depends if you give it time for replication then yes, but if like me you then monitor it, you can do this with "Enterprise PKI" from the MMC and when you look at your CA server you will notice that for a short time while ADDS replicates it will look like this:


Untrusted root certificates are a bad thing, but this is only temporary, and you impatience gets you looking at why, and this is down to the fact the "pulse" of the new data has not been updated, so after replication has occurred you can run this command to force it though:

certutil -pulse

Then when you check the PKI console you will now see that the certificates are once again valid and available:


Why the rush, give it some time?

When you renew the certificate this needs to trickle to all your computers in the domain so they then trust the root certificate, so if you issue a certificate immediately after you have renewed the CA then for a short time you may notice you get some certificate error as that device does not trust the new CA certificate just yet.

Default value is every 5 minutes for the duration of 1 day

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„