How to remove Expired Certificate in Certification Authority

2015-03-13

Question

_{Friday, March 13, 2015 5:48 PM}

So the base certificate at a client site running Server Standard 2012 R2 expired.

I went in and did a renewal, which created a new certificate, but the old expired cert still shows in the list and is still being handed out by the CA.

Certificates #1 & #2 are the renewed cert's, Cert #0 is expired, why did it not get replaced during the renewal process?

How do I remove the expired Certificate? The CA is still using it and handing out expired cert's, this is preventing people from connecting to the secure Corporate WiFi environment because the NAP server is now rejecting access due to an expired certificate.

Before I renewed and changed the certificates in the NAP server to point to the new reviewed cert, I was getting this event log entry when a user tried to connect to the Secure Corporate WiFi:

Event ID 6273, Reason Code 262, The supplied message is incomplete. The signature was not verified.

After I changed to the Certificates in the NAP server to point to the renewed cert's, I get this error, still not able to connect to WiFi:

Event ID 6273, Reason Code 265, The certificate chain was issued by an authority that is not trusted.

How do I go about cleaning out that Expired Certificate in the CA, I removed it from the computer cert list using the Certificates snap in and connecting to the local computer. I then stopped and restarted both the CA and NAP services. Still no change. I need to get the CA cleaned up and trusted again.

Any help would be greatly appreciated.

Curt Winter

Microsoft Certified Professional

All replies (9)

_{Friday, March 20, 2015 4:09 PM ✅Answered | 1 vote}

Ok the NAP server is now working properly, the Expired Certificates are clean up and we are back in working order.

Here is a review of what I did to get the issue resolved:

1) First thing was to remove the old SBS server entries that where causing the workstation to try and renew their certs with the old server. To do this I ran ADSIEdit expanded the CN=Configuration | CN=Services | CN=Public Key Services. I then went through every folder and every entry under Public Key Services looking for and removing or updating entries pointing to the old SBS. I then made sure authenticated users had read permissions on CN=Enrollment Services.

2) Ensure the CA is an Enterprise CA, I ran certutil -cainfo to ensure it showed as Enterprise Root CA.

3) I then went back into ADSIEdit expanded CN=Configuration | CN=Services | Public Key Services | CN=Enrollment Services. Right click the CA in the right pane and ensure flags is set to 10.

4) Ensure the CA is trusted, launch PKIView, right click on Enterprise PKI and select Manage AD Containers click on the Enrollment Services Tab, the status should show as OK.

5) I then copied that Certificate to a file and ran certutil -verify on the file to check for any additional errors.

6) I then opened CertSrv.msc on the CA, right click on the name of the CA and select properties, click on the Security tab and ensure Authenticated Users have the Request Certificates permission.

7) I then ran certutil -deleterow 3/11/2015 Cert to remove all the certs that had expired before 3/11/2015.

At this point the workstations started to get new cert's all the cert renewal errors in the client event logs stopped

8) I then went back into the NAP server and select the correct certificate fin the EAP Properties and Smart Card properties.

9) I then updated the domain 802.11X policy ensuring all the EAP properties had the correct certificate listed.

At this point computers where again connecting to the Secure WiFi through the NAP server. I hope this may help someone in the future.

Curt Winter

Certified Microsoft Professional

Curt Winter

_{Monday, March 16, 2015 1:27 PM | 1 vote}

> How do I remove the expired Certificate?

you don't need to remove expired CA certificate.

> The CA is still using it and handing out expired cert's, this is preventing people from connecting to the secure Corporate WiFi environment because the NAP server is now rejecting access due to an expired certificate.

most likely this is because you chose existing key pair reuse during CA certificate renewal and NPS incorrectly selects incorrect chain. I would suggest to either: renew CA certificate with new key pair and reissue client/server certificates, or remove expired CA certificate from Active Directory.

Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.

_{Monday, March 16, 2015 3:12 PM}

Vadims,

Can you please give some more detail to this statement or link with more info?

"or remove expired CA certificate from Active Directory."

Thank you.

Curt Winter

_{Wednesday, March 18, 2015 4:20 PM}

Ok as I continue to dig on this issue, I am noticing the workstation on the network are trying to renew their certificates from the old SBS server that is no longer on the network. A third party was hired to migrate from SBS 2008 to Server 2012 R2. The CA service now runs on the Server 2012 R2 Domain Controller.

The error from the workstation:

Event ID 13

Certificate enrollment for local system failed to enroll for a machine certificate from (old server name) The RPC server is unavailable. 0x800706ba (WIN32: 1722)

Where is it getting the old server name from? Why is not polling the CA service on the 2012 DC?

Is this buried in Group Policy? Looking for help on where to find the old server name so I can clean it up and get the workstations renewing with the new CA.

Thanks for any help.

Curt Winter

Certified Microsoft Professional

Curt Winter

_{Wednesday, March 18, 2015 4:41 PM}

Vadims,

Can you please give some more detail to this statement or link with more info?

"or remove expired CA certificate from Active Directory."

Thank you.

Curt Winter

Curt Winter

open pkiview.msc, right-click on Enterprise PKI node and select Manage AD Containers. Switch to "Certification Authorities" tab and remove expired CA certs from there and leave the most recent CA cert.

_{Wednesday, March 18, 2015 5:38 PM}

Ok as I continue to dig on this issue, I am noticing the workstation on the network are trying to renew their certificates from the old SBS server that is no longer on the network. A third party was hired to migrate from SBS 2008 to Server 2012 R2. The CA service now runs on the Server 2012 R2 Domain Controller.

The error from the workstation:

Event ID 13

Certificate enrollment for local system failed to enroll for a machine certificate from (old server name) The RPC server is unavailable. 0x800706ba (WIN32: 1722)

Where is it getting the old server name from? Why is not polling the CA service on the 2012 DC?

Is this buried in Group Policy? Looking for help on where to find the old server name so I can clean it up and get the workstations renewing with the new CA.

Thanks for any help.

Curt Winter

Certified Microsoft Professional

Curt Winter

Windows client randomly selects Enterprise CA to work with. If it fails, an eventlog record is generated and client attempts to use another applicable CA (that supports target certificate template).

_{Wednesday, March 18, 2015 6:11 PM}

Ok when I run pkiview.msc on the domain controller that is running the CA it comes back with CA is either offline or unavailable.

I can then go to Admin tools and launch the CA, it is running, there is a setting left over someplace pointing to the old CA service on the old SBS server that is no longer on the Domain.

If I right click the Enterprise PKI and select manage AD containers, I can look at all the certs, they are all good and valid.

If I right click the listed CA server in pkiview.msc and select manage CA, it comes back with a fresh MMC trying to connect to the Certificate Service on the old SBS server, If I redirect it to the Current server it opens without issue.

Why is PKIview.msc pulling the old SBS server? Where does it get this server name from? How can I remove that entry or change it so that it goes to the CA server running on the domain, not the old CA service running on the decommissioned SBS server?

This is what is happening to the computers on the network, they are being given the old SBS CA server and they are trying to connect to it to renew there expired certificates, they can not, because it is no longer on the network.

I did find this entry using ADSI Edit:

cn=configuration, cn=services, cn=public key services, cn=CDP

The old server was listed there, I removed the entry, but nothing has change.

Please help and point me to the location this server name is stored in so I can remove it and get all the computers talking to the correct CA.

Curt

Curt Winter

_{Wednesday, March 18, 2015 6:28 PM}

Additional Information, I loaded the local Certificates MMC on the Domain Controller that is Running the CA. I noticed the machine cert was expired, so I tried to renew it, and it failed, because it was trying to poll the old SBS CA. Where does it keep pulling this information from? This was listed as URL with the old SBS server name.

As long as every machine is trying to contact the old SBS CA service, we are going to have problems, Where in the world do I have to look to clean up all these entries that are point to the old SBS server that is no longer on the network.

Please help!

Curt Winter

_{Wednesday, March 18, 2015 7:03 PM}

Ok Finally cleaned out the old settings it looks like, now PKIview.msc is saying it can not find the enterprise CA, please make sure it exists in your environment and is listed in the enrollment services container.

How do I get it listed in the enrollment services container?

Curt Winter

Share via

How to remove Expired Certificate in Certification Authority

Question

All replies (9)

Additional resources