What impact does the expiration of one of the Certification Authority certificates have on the Certification Authority?

Certification authority certificates have a defined start and end date, so it is inevitable during the lifecycle of a certification authority that certification authority certificates will expire.

The following describes the impact of an expiring Certification Authority certificate on the Certification Authority.

Basic

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Regardless of whether it is the current or one of the previous certification authority certificates, the certification authority service will start as usual and certificate revocation lists can also be issued.

The Certification Authority will use the Event no. 58 log.

A certificate in the chain for CA certificate 2 for ADCS Labor Issuing CA 3 has expired. A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495 CERT_E_EXPIRED). 

When the current certification authority certificate expires...

Of course, if it is the current certification authority certificate, but certificates more can be requested from the certification authority.

Applicant will not be able to make a certificate request at all or cannot send them to the certification authority.

Certificate requests that continue to be submitted will be rejected, and the Certification Authority will Event no. 22 log with error code 0x800b0101 (-2146762495 CERT_E_EXPIRED).

As the certification authority expiration date approaches, there will be a spike in certificate requests (if there are still certificate templates published for issuance) as automatic certificate renewals are made when 80% of certificate validity is exceeded. This window will get shorter and shorter as the expiration date approaches (see related article "Planning of certificate validity and renewal period of end entity certificates with autoenrollment„).

Related links:

One thought on “Welchen Einfluss hat der Ablauf eines der Zertifizierungsstellen-Zertifikate auf die Zertifizierungsstelle?”

Comments are closed.

en_USEnglish