In this blog post I’m going to show how you can renew the certificates of a two-tier PKI. A two-tier PKI is a Public Key Infrastructure that consists of two levels of certification authorities (CAs): a root CA and one or more issuing CA(s) (Subordinate). The root CA is typically offline and highly secure, while the issuing CAs are online and can be scaled horizontally to meet the organization’s needs. In this blog post I am going to show how to renew the certificate of the root CA and of the issuing CA(s). I
An important consideration before you start renewing your certificates: The validity period of certificates issued by the root CA cannot exceed the validity period of the Root CA certificate. If your Root CA’s certificate expires in 2 months and you want to extend your issuing ca’s certificate for 5 years, you must first extend your Root CA. If you do not, then the validity period of your Issuing CA will be 2 months instead of 5 years.
Renew the certificates of a two-tier PKI:
The Root CA
Let’s start by renewing the Root CA. If the validity period of your root CA is longer than the period by which you want to renew Issuing CA, you can choose to skip this step and proceed to Issuing CA.
1. Turn on the Root CA and Log on. Open the Certification Authority console. Make a right-mouse click on the CA name, select “All Tasks” and “Renew CA Certificate…”.
2. A screen will appear with the question to stop Active Directory Certificate Services. Click “Yes” on the question to stop certificate services.
3. On the next screen answer the question “Do you want to generate a new public and private key pair?” with “No” because we only want to renew the certificate and click “OK”.
4. Because the Root CA is a completely offline we need to copy the new Root CA certificate to Issuing CA. In this example I am using the network, but if you don’t have a network connection you will have to use another way.
5. Open a Command Prompt and Execute: “Certutil.exe -f -dspublish <Root CA>.cer RootCA” this command will publish the root CA to the Active Directory. The machines in AD will get the new root CA cert installed with the next GPO update or reboot, whatever is sooner.
6. The Root CA certificate has now been renewed. If you only want to renew your Root CA certificate you can now shut down the Root CA server, otherwise keep it to renew the certificate of the Issuing CA.
The Issuing CA
Now that the Root CA’s certificate has been renewed, let us move on to renewing the Issuing CA‘s certificate. This is similar to the steps of the Root CA, but with the difference that the certificate is not issued by the Issuing CA itself, but by the Root CA. The Issuing CA only has delegated authority to issue certificates on behalf of the Root CA.
7. If you have just renewed your Root CA certificate run “gpupdate /force” to make sure the new root CA certificate is installed on your Issuing CA.
8. Open the Certification Authority console on the Issuing CA. Make a right-mouse click on the CA name, select “All Tasks” and “Renew CA Certificate…”.
9. A screen will appear with the question to stop Active Directory Certificate Services. Click “Yes” on the question to stop certificate services.
10. On the next screen answer the question “Do you want to generate a new public and private key pair?” with “No” because we only want to renew the certificate and click “OK”.
11. A window appears where you can select an online CA to renew the certificate. Since we are using an Offline Root CA, you can press “Cancel.” This will not send the request file but store it locally on the C drive. The exact location and filename are displayed at the bottom of the window (c:\*.req).
12. Copy the request file from your Issuing CA to the Root ca.
13. Open then Certification Authority console on the Root CA, right mouse clicks on the ca name, select “All Tasks” and “Submit new request…”.
14. Select the request file and press “Open”.
15. Go to “Pending Requests” and issue the pending certificate for the subordinate server.
16. Now go to “Issued certificates”, select the certificate what was just issued and open it.
17. Go to the “Details” tab and click on “Copy to File…”.
18. Select Export File Format *.P7B and check “include all certificates in the certification path if possible”!
19. Save the file on the local disk.
20. Copy the certificate file to the subordinate CA. Start the certificate services and the subordinate CA.
21. Open the Certification Authority console. Make a right-mouse click on the CA name, select “All Tasks” and “Install CA Certificate…”.
22. Click “Yes” on the question to stop certificate services.
23. Select the certificate and press “Open”.
24. The renewal is now completed for both the root CA and the Subordinate CA. When you check the certificate properties of the Subordinate CA it will show the new validity period. Do not forget to shutdown the root CA server. This is how you renew the certificates of a two-tier PKI.