{"id":1390,"date":"2022-08-05T17:47:39","date_gmt":"2022-08-05T22:47:39","guid":{"rendered":"http:\/\/zewwy.ca\/?p=1390"},"modified":"2022-08-05T17:47:39","modified_gmt":"2022-08-05T22:47:39","slug":"renew-subordinate-ca-certificate-to-offline-root","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2022\/08\/05\/renew-subordinate-ca-certificate-to-offline-root\/","title":{"rendered":"Renew Subordinate CA Certificate to Offline Root"},"content":{"rendered":"

<\/span>Setup<\/span><\/h1>\n

If you follow other posts on renewing a sub-ca certificate, they usually have two tings to make their lives easier:<\/p>\n

    \n
  1. A server with a GUI<\/li>\n
  2. an Online Enterprise Root CA<\/li>\n<\/ol>\n

    We have none of those. We have:<\/p>\n

      \n
    1. an Offline Root CA (at least it has a GUI)<\/li>\n
    2. A Server Core Sub CA<\/li>\n<\/ol>\n

      Like many times in the past, MMC remote snap-in pointing to a remote core server is lacking the context menu or ability to do what you need.<\/p>\n

      <\/span>Steps<\/span><\/h1>\n

      For example this poor guy who posted in Windows QA<\/a>.<\/p>\n

      <\/span>Step 1) Log Into the Server Core Sub Sub CA.<\/span><\/h2>\n

      RDP, direct console, whatever floats your boat on this one.<\/p>\n

      <\/span>Step 2) Run the following command:<\/span><\/h2>\n
      Certutil -renewCert ReuseKeys<\/pre>\n
      Now you get a pop up, asking you to select an Online CA server to sign the Cert. In small writing on the pop up it says you can click cancel and manually sign the certificate saved under c:\\ path.<\/p>\n
      \"\"<\/a><\/p>\n
      <\/span>Step 3) Copy to Request File to Offline CA<\/span><\/h2>\n
      Now save the request file, and copy it onto your Offline Root CA. How you accomplish this in on your and your setup. If it’s all virtualized, do the vUSB trick I often do. If you have RDP access to the Sub CA, use this RDP resource and notepad trick.<\/a><\/p>\n
      Step 4) Issue Certificate on Offline CA
      \n– Open Certificate Authority Tool.
      \n– Right Click Server Node -> All Tasks -> Submit New Request -> Select the request file created in Step 2
      \n– Click on Pending Requests Folder -> Right Click Certificate -> Issue
      \n– Go back to Issued Certificates Folder -> Double Click new Certificate -> Details Tab -> Copy to File -> Save it<\/p>\n
      <\/span>Step 5) Copy Issued Certificate back to Sub CA<\/span><\/h2>\n
      Whatever means you did for Step3, do it in reverse.<\/p>\n
      <\/span>Step 6) Install the new Certificate on the Sub CA<\/span><\/h2>\n
      certutil -installcert <path to signed certificate><\/pre>\n
      \"\"<\/a><\/p>\n
      OK, Stop the Service:<\/p>\n
      sc stop CertSvc<\/pre>\n
      \"\"<\/a><\/p>\n
      Then Start it back up:<\/p>\n
      sc start CertSvc<\/pre>\n
      \"\"<\/a><\/p>\n
      Then from a remote management machine with the Cert Authority MMC Snap-in added, check the properties on the Sub-CA. You should see the new certificate listed.<\/p>\n
      \"\"<\/a><\/p>\n
      Hope this Helps someone.<\/p>\n","protected":false},"excerpt":{"rendered":"
      Setup If you follow other posts on renewing a sub-ca certificate, they usually have two tings to make their lives easier: A server with a GUI an Online Enterprise Root CA We have none of those. We have: an Offline Root CA (at least it has a GUI) A Server Core Sub CA Like many … <\/p>\n
      Continue reading “Renew Subordinate CA Certificate to Offline Root”<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[8],"tags":[217,416,188,363],"class_list":["post-1390","post","type-post","status-publish","format-standard","hentry","category-server-administration","tag-ca","tag-cert","tag-certificate","tag-renew"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1390"}],"version-history":[{"count":1,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1390\/revisions"}],"predecessor-version":[{"id":1391,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1390\/revisions\/1391"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}