[Dshield] NT4 Certificate Server root CA expired

Stephane Grobety security at admin.fulgan.com
Wed Mar 3 08:34:59 GMT 2004

Hello Al,

Thank you for your answer.

I have done parallel researches about this issue and everyone told me
that Certificate renewal is simply NOT supported under NT4.

Now, I have considered your answer and tried a few things with the
server and here is what I found:

1/ Nowhere did I find any way to access the root CA certificate itself
nor request a certificate renewal.
2/ There seems to be no way to import a new root CA certificate into
the server (or to export the root for backup purpose, by the way).
3/ Certificate renewal doesn't seem to be really supported by the
CS 1.0. You can create all the new certs you want, but you can't
really renew old certs.

Now, for what you have described to work, I would need a solution for
all 3 points above. They seem to have been solved in the windows 2000
version of CS, BTW, so one way to get out of this would be to rollback
the clock, upgrade the server to 2000, re-issue the certificate with a
new, longer validity period and then reset the clock to it's correct

Anyway, since that server is going to be phased out pretty soon and
replace with a windows 2003 machine, we decided that it would be
easier to create a new CA root on the new system: we'll live with the
security warnings for now.

Thank you again,
Good luck,

Wednesday, March 3, 2004, 4:25:08 AM, you wrote:

AR> Stephanie

AR> I started seriously looking in Technet last night and many of the NT 4.0 
AR> resources that used to be there are now relegated to "some place." I went 
AR> looking for one of my reference books that is now someplace else. 
AR> Basically, they want you to pay money for a phone call.

AR> What I recall, was prior to expiration is that you generate a Root 
AR> Certificate that gets imported back into the Certificate Server, you then 
AR> generate New Client Root Certs are imported into the Clients. Then generate 
AR> appropriate updated individual client certificates with the new date range.

AR> Roll back the clock in the BIOS and see if the Certificate states 
AR> "Expired," if not give it a try.

AR> I apologize that I can not offer more.

AR> Al

AR> At 03:43 PM 3/1/2004 +0100, you wrote:
>>I got a NT4 box running certificate server 1.0 (part of NT option pack
>>4.0) that has it's root certificate expiring today.
>>Does anyone know how I can re-create this CA root cert ?
>>Thank you,
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list