Pages

05 January 2016

Unable to renew SubCA - 0x8007139f (WIN32: 5023)

It's the most wonderful time of the year, renewing your Issuing, Intermediate, SubCA of however you want to call it.
So the time has come to renew the Issuing certificate, well for me it has, and as always i pull out the documentation because i wanna do it correctly.
But as you all know (you have to know this) since January 1st SHA1 has been deprecated and we all should move to SHA2 (SHA256).

Obedient as i am, i moved our CA to SHA2. No problem there. But...
Now is the season to be renewing your Issuing certificate and this happens.

The following steps are to be followed:


Steps to Renew if Root CA is offline
  1. Log onto your Issuing CA and open the Certificate Authority MMC
  2. Right click on your Issuing CA > All Tasks > Renew CA Certificate
  3. Press Yes to Stop AD Certificate Services
  4. Press No to Generate a new Public/Private Pair
  5. Press Cancel and save the request some where C:\Temp for instance
Now in my case step 5 didn't happen.
Running CertUtil gave an error that was not really clear why things weren't working as expected.







After digging around for hours on fora's websites and going through my documentation over and over, it suddely hit me.
I had moved to SHA2, and the certificate i tried to renew was based on SHA1.
This would never work, so long story short. Moved to SHA2 recently? New private key in your Issuing certificate request, and follow the route to renew your Issuing certificate as you always would.

Next thing to note is that all your current certificates have to be regenerated to be compliant to the new Issuing certificate (SHA2), as for the RootCA that doesn't need to be SHA2, Trusted root certificates using SHA1 are not affected. Clients trust them for identity purposes and not for the strength of their signature algorithm.

1 comment:

  1. What would be the command then?
    certutil -renewcert ???

    ReplyDelete