This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 61%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi Everyone,
I need to renew my root certificate and I don't have a clue how to do this correctly. My DC's are 2012 R2 and 2019 and my AD DFL and FFL are: Windows Server 2012 R2, clients are all W10 and servers mostly 2008 and above and a tiny amount of 2003.
1. Is there a step-by-step guide on how to do this?
2. What gotchas show I look out for?
3. Do I need to change the cert signature algorithm from SHA1 to SHA256 or can I keep the same?
4. How can I check where the root cert is used (so I can update these 3rd party systems)
5. How can I test the renewed cert?
6. Is there a rollback option?
Would anyone be able to share their knowledge on this pls?
Many Many Thanks, M
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 74%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGJ%3C/text%3E%3C/svg%3E)
Renew CA certificate
For this task, open the context menu of the Certification Authority in certsrv.msc, and select the Renew CA Certificate option under All Tasks.
Renew CA certificate via the MMC snap in Certification Authority
This action launches a wizard, which first announces that certificate services need to be temporarily stopped. The next dialog box allows the user to choose whether to retain the signing keys or generate new ones.
Microsoft names compromised existing keys, specific software requirements, or an overly long certificate revocation list (CRL) as possible reasons for generating new keys.
With new keys, the certification authority also creates a new CSR that only contains the serial numbers of certificates revoked since the issuance of the new CA certificate. Microsoft's documentation explains how this affects the naming of the CRL.
Retaining the keys simplifies the process because it keeps all previously issued certificates chained up to the new CA certificate. For an in-depth discussion of the pros and cons of new signing keys, refer to this blog post by Vadims Podāns.
As an alternative to the certsrv.msc GUI, you can use the certutil.exe utility to renew the CA certificate while retaining the existing public and private keys:
certutil -renewCert ReuseKeys
Renew the CA certificate with certutil.exe while reusing the previous keys
If you omit the ReuseKeys switch, the utility also creates new keys. With the following entry in the abovementioned CaPolicy.inf, you can set the key length, in this example to 2048 bits:
RenewalKeyLength=2048
Distribute the root certificate to the clients
After renewing the root CA certificate, you must deploy it to the clients to make them trust all certificates issued by the certification authority. Windows PCs store this certificate under cert:\LocalMachine\Root or under a user's trusted root certificates.
If you are running an enterprise CA, the root certificate is automatically distributed within the domain. Clients receive it during the refresh of Group Policies. If you want to speed up this process, you can force a refresh using gpupdate /force.
In the case of a standalone CA, you have to export the certificate and publish it in Active Directory using the following command:
certutil -f -dspublish <RootCACertificate-File> RootCA
This method ensures that the root certificate is propagated to all machines in the domain. Alternatively, you can distribute the root certificate via Group Policy, especially if you want to provide it only to specific OUs.
To determine the type of CA you are dealing with, you can use the following method:
certutil -getreg ca\catype
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 94%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJI%3C/text%3E%3C/svg%3E)
Me funcionó, me lo renovó por 3 años mas. Toca esperar la fecha para que se vayan renvando las estaciones de forma automática. Muchas gracias
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 43%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Is there a rollback option?
Hello @SenhorDolas
Check the links below that they have a problem similar to yours and I believe it will be useful to help you solve the problem:
-------------
--If the reply is helpful, please Upvote and Accept as answer--
hi @Limitless Technology
Thanks for the links they helped me plan the change better.
Is there a way to find out where the root CA has been used (as in manually uploaded?)
I am guessing this would be LDAPs, can I see that on the DC's logs?
I
@Limitless Technology
Thank you so much for googling them for me :)
I have a much better idea on how to do this.
A few more questions if you dont mind?
Thanks, M
@Limitless Technology + @Thameur-BOURBITA
I have finally renewed the CA cert - no issues there.
I can see the new cert being installed on rebooted machines.
****For Domain Controllers, when will this be picked up? Or since the old one is still valid will it only pull the new cert on expiration of the old one?**
Can I delete the current CA root cert from the DC's Personal Store and reboot to pull the new one?**
Thanks, M