Renew a subordinate certification authority

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To renew a subordinate certification authority

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Log on to the system as a Certification Authority Administrator.

  2. Open Certification Authority.

  3. In the console tree, click the name of the certification authority (CA).

    Where?

    • Certification Authority (Computer)/CA name
  4. On the Action menu, point to All Tasks, and click Renew CA Certificate.

  5. Do one of the following:

    • If you want to generate a new public and private key pair for the certification authority's certificate, click Yes.

    • If you want to reuse the current public and private key pair for the certification authority's certificate, click No.

  6. Get the CA certificate from the parent CA. For more information, see Notes.

Notes

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

  • To obtain the certificate for a subordinate CA, you must submit a certificate request to a parent CA. The procedure for doing so differs depending on whether the parent CA is available online.

    • If a parent CA is available online

    • If a parent CA is not available online

If a parent CA is available online

  1. Click Send the request directly to a CA already on the network.

  2. In Computer Name, type the name of the computer on which the parent CA is installed.

  3. In Parent CA, click the name of the parent CA.

If a parent CA is not available online

  1. Click Save the request to a file.

  2. In Request file, type the path and file name of the file that will store the request.

  3. Obtain this subordinate CA's certificate from the parent CA.

    The procedure for doing this will be unique to the parent CA. At a minimum, the parent CA should provide a file containing the subordinate CA's newly issued certificate and, preferably, its full certification path. For the procedure to submit a certificate request using a file to a Microsoft CA, see Related Topics.

    If you get a subordinate CA certificate that does not include the full certification path, the new subordinate CA you are installing must be able to build a valid CA chain when it starts. Thus you must install the parent CA's certificate in the Intermediate Certification Authorities certificate store of the computer (if the parent CA is not a root CA), as well as the certificates of any other intermediate CA in the chain, and you must install the certificate of the root CA in the chain into the Trusted Root Certification Authorities store. These certificates should be installed in the certificate store before you install the CA certificate on the subordinate CA you have just set up.

  4. Open Certification Authority.

  5. In the console tree, click the name of the CA.

    Where?

    • Certification Authority (Computer)/CA name
  6. On the Action menu, point to All Tasks, and then click Install CA Certificate.

  7. Locate the certificate file received from the parent certification authority, click this file, and then click Open.

Using a command line

  1. Open Command Prompt.

  2. Type:

    certutil -renewcert

Value Description

renewcert

Instructs the CA to renew its certificate.

Notes

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To view the complete syntax for this command, at a command prompt, type:

    certutil -renewcert -?

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Working with MMC console files
Renewing a certification authority
Renew a root certification authority
Request a certificate using a PKCS #10 or PKCS #7 file