If you follow other posts on renewing a sub-ca certificate, they usually have two tings to make their lives easier:
- A server with a GUI
- an Online Enterprise Root CA
We have none of those. We have:
- an Offline Root CA (at least it has a GUI)
- A Server Core Sub CA
Like many times in the past, MMC remote snap-in pointing to a remote core server is lacking the context menu or ability to do what you need.
For example this poor guy who posted in Windows QA.
Step 1) Log Into the Server Core Sub Sub CA.
RDP, direct console, whatever floats your boat on this one.
Step 2) Run the following command:
Certutil -renewCert ReuseKeys
Now you get a pop up, asking you to select an Online CA server to sign the Cert. In small writing on the pop up it says you can click cancel and manually sign the certificate saved under c:\ path.
Step 3) Copy to Request File to Offline CA
Now save the request file, and copy it onto your Offline Root CA. How you accomplish this in on your and your setup. If it’s all virtualized, do the vUSB trick I often do. If you have RDP access to the Sub CA, use this RDP resource and notepad trick.
Step 4) Issue Certificate on Offline CA
– Open Certificate Authority Tool.
– Right Click Server Node -> All Tasks -> Submit New Request -> Select the request file created in Step 2
– Click on Pending Requests Folder -> Right Click Certificate -> Issue
– Go back to Issued Certificates Folder -> Double Click new Certificate -> Details Tab -> Copy to File -> Save it
Step 5) Copy Issued Certificate back to Sub CA
Whatever means you did for Step3, do it in reverse.
Step 6) Install the new Certificate on the Sub CA
certutil -installcert <path to signed certificate>
OK, Stop the Service:
sc stop CertSvc
Then Start it back up:
sc start CertSvc
Then from a remote management machine with the Cert Authority MMC Snap-in added, check the properties on the Sub-CA. You should see the new certificate listed.
Hope this Helps someone.