Had a customer recently who needed to renew their issuing CA certificate as it was due to expire , I’ve just wrote up some simple steps you can do to renew this certificate as there a few TechNet articles around this subject and they’re not totally clear on the process to do this.
Steps to Renew if Root CA is online
- Log onto your Issuing CA and open the Certificate Authority MMC
- Right click on your Issuing CA > All Tasks > Renew CA Certificate
- Press Yes to Stop AD Certificate Services
- Press No to Generate a new Public/Private Pair
- Make Sure the Computer Name is the FQDN of your Issuing CA and select your Root CA as your Parent CA
- Press Ok
- Now go to your Root Ca and open the Certificate Authority MMC
- Select pending requests and issue the Certificate renewal we requested earlier
- Now go to issued certificates
- Double click the certificate you have just issued and go the details tab
- Select copy to file
- Export the certificate as CER file and copy the certificate over to the Issuing CA
- Now go back to your Issuing CA , Right click your CA > All Tasks > Install CA Certificate
- Press Yes to Stop AD Certificate Services
- Change the File Extension from P7B to CER and select your Certificate File
- Press open and your Issuing Ca Cert should be renewed J
Steps to Renew if Root CA is offline
- Log onto your Issuing CA and open the Certificate Authority MMC
- Right click on your Issuing CA > All Tasks > Renew CA Certificate
- Press Yes to Stop AD Certificate Services
- Press No to Generate a new Public/Private Pair
- Make Sure the Computer Name is the FQDN of your Issuing CA and select your Root CA as your Parent CA
- Press Cancel
- On the C drive now you should have a REQ file , copy this to your Root CA
- Now go to your Root Ca and open the Certificate Authority MMC
- Right Click you Root CA > All Tasks > Submit New Request
- Select the REQ file we have just copied onto the Root CA and select OK
- Now go to pending requests and issue the Certificate we just requested
- Now go to issued certificates
- Double click the certificate you have just issued and go the details tab
- Select copy to file
- Export the certificate as CER file and copy the certificate over to the Issuing CA
- Now go back to your Issuing CA , Right click your CA > All Tasks > Install CA Certificate
- Press Yes to Stop AD Certificate Services
- Change the File Extension from P7B to CER and select your Certificate File
- Press open and your Issuing Ca Cert should be renewed J