[Dshield] NT4 Certificate Server root CA expired
security at admin.fulgan.com
Wed Mar 3 08:34:59 GMT 2004
Thank you for your answer.
I have done parallel researches about this issue and everyone told me
that Certificate renewal is simply NOT supported under NT4.
Now, I have considered your answer and tried a few things with the
server and here is what I found:
1/ Nowhere did I find any way to access the root CA certificate itself
nor request a certificate renewal.
2/ There seems to be no way to import a new root CA certificate into
the server (or to export the root for backup purpose, by the way).
3/ Certificate renewal doesn't seem to be really supported by the
CS 1.0. You can create all the new certs you want, but you can't
really renew old certs.
Now, for what you have described to work, I would need a solution for
all 3 points above. They seem to have been solved in the windows 2000
version of CS, BTW, so one way to get out of this would be to rollback
the clock, upgrade the server to 2000, re-issue the certificate with a
new, longer validity period and then reset the clock to it's correct
Anyway, since that server is going to be phased out pretty soon and
replace with a windows 2003 machine, we decided that it would be
easier to create a new CA root on the new system: we'll live with the
security warnings for now.
Thank you again,
Wednesday, March 3, 2004, 4:25:08 AM, you wrote:
AR> I started seriously looking in Technet last night and many of the NT 4.0
AR> resources that used to be there are now relegated to "some place." I went
AR> looking for one of my reference books that is now someplace else.
AR> Basically, they want you to pay money for a phone call.
AR> What I recall, was prior to expiration is that you generate a Root
AR> Certificate that gets imported back into the Certificate Server, you then
AR> generate New Client Root Certs are imported into the Clients. Then generate
AR> appropriate updated individual client certificates with the new date range.
AR> Roll back the clock in the BIOS and see if the Certificate states
AR> "Expired," if not give it a try.
AR> I apologize that I can not offer more.
AR> At 03:43 PM 3/1/2004 +0100, you wrote:
>>I got a NT4 box running certificate server 1.0 (part of NT option pack
>>4.0) that has it's root certificate expiring today.
>>Does anyone know how I can re-create this CA root cert ?
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see:
More information about the list