How To
Summary
This document provides a production-ready, repeatable procedure to renew a Subordinate Certification Authority (SubCA) certificate in a Microsoft Active Directory Certificate Services (AD CS) PKI hierarchy using an offline Enterprise Root CA.
Objective
Scope
- Offline Enterprise Root CA
- Two online Enterprise Subordinate CAs
- Certificate-only renewal with reused keys (recommended)
- Optional guidance for emergency rollback and validation
Prerequisites
- Local Administrator on Subordinate CAs
- CA Administrator on Root CA
- Enterprise Admin rights for Active Directory publication
- Secure removable media for file transfer
- HTTP CDP/AIA infrastructure operational
High-Level Workflow
Subordinate CA → Generate Renewal Request
Offline Root CA → Sign Request & Publish Root CRL
Subordinate CA → Install Certificate & Publish CRLs
Environment
Environment: Offline Enterprise Root CA with Two Online Enterprise Subordinate CAs (Microsoft AD CS)
Note: This procedure is OS‑version agnostic as long as the CA is running a supported version of Windows Server with AD CS.
Steps
Shell/Elevation Key
- Admin PowerShell = Launch Windows PowerShell with "Run as administrator"
- Admin CMD = Launch Command Prompt with "Run as administrator"
- Either (Admin) = Command works in either Admin PowerShell or Admin CMD
Step 1 – Review Current SubCA Certificate & Renewal Policy
Shell: Either (Admin)
Commands:
certutil -cainfo
certutil -getreg ca\RenewalValidityPeriod
certutil -getreg ca\RenewalValidityPeriodUnits
Step 2 – Back Up the Subordinate CA
Shell: Either (Admin)
Command:
certutil -backup C:\CABackup
Step 3 – Generate the Subordinate CA Renewal Request
Shell: Either (Admin)
Command:
certutil -renewCert ReuseKeys
Output location: C:\Windows\System32\CertSrv\CertEnroll\
Step 4 – Transfer the Request to the Offline Root CA
Shell: GUI/Standard
Action: Copy the .req file to approved removable media and move it to the offline Root CA.
Step 5 – Sign the Request on the Offline Enterprise Root CA
Shell: Either (Admin)
Command:
certreq -submit <request>.req
Save the issued certificate as: <issued>.cer (e.g., SubCA01_SubCA01_RootCA.cer)
Step 6 – Publish Root CA CRL (with CDP discovery)
6.1 Generate CRL — Shell: Either (Admin)
certutil -crl
6.2 Locate CDP — Shell: Either (Admin)
certutil -getreg CA\CRLPublicationURLs
GUI (authoritative): Certification Authority → Root CA → Properties → Extensions → CRL Distribution Point (CDP)
6.3 Publish CRLs — Shell: GUI/Standard (file copy)
Copy the generated .crl files to each configured HTTP/file CDP, e.g., \PKIWeb01\c$\inetpub\wwwroot\CertEnroll\
6.4 Validate CRL Accessibility — Shell: Either (Admin)
certutil -url http://<your-cdp>/CertEnroll/RootCA.crl
Step 7 – Shut Down Offline Root CA
Shell: GUI/Standard
Action: Shut down per security policy after CRLs are verified at all CDPs.
Step 8 – Install the Renewed SubCA Certificate
Shell: Either (Admin)
Commands:
certutil -installcert <issued>.cer
net stop certsvc
net start certsvc
Step 9 – Publish SubCA CRLs and Active Directory Objects
Shell: Either (Admin)
Commands:
certutil -crl
certutil -publish
Step 10 – Validation
Shell: Either (Admin)
Commands (on SubCA):
certutil -verifykeys
certutil -cainfo
Client test — Shell: Either (Admin)
certutil -config - -ping
Additional Information
Enterprise Root CA Considerations
Manual AD publication (if required) — Shell: Either (Admin) on a domain-joined admin workstation or a CA with AD connectivity:
certutil -dspublish -f RootCA.cer RootCA
certutil -dspublish -f RootCA.crl
Ensure HTTP AIA endpoints contain Root and SubCA certificates referenced by issued certificates. Delta CRLs (if enabled) must be reachable alongside base CRLs.
Appendix A — CDP/AIA Validation (Enterprise)
A.1 Validate CDP (CRLs)
Shell: Either (Admin)
certutil -getreg CA\CRLPublicationURLs
Shell: Either (Admin)
certutil -urlfetch -verify <SubCA-issued-CA-cert>.cer
Shell: Either (Admin)
certutil -url http://<your-cdp>/CertEnroll/RootCA.crl
A.2 Validate AIA (CA Certificates)
Shell: Either (Admin)
certutil -getreg CA\CACertPublicationURLs
Confirm Root and SubCA certificates are available at HTTP AIA locations and embedded AIA URLs in certificates are reachable.
A.3 Active Directory Validation (Enterprise)
Shell: GUI (pkiview.msc) launched in an elevated Enterprise Admin session for best results. Optionally verify publication using:
Shell: Either (Admin)
certutil -dspublish -f RootCA.cer RootCA
certutil -dspublish -f RootCA.crl
Appendix B — Rollback & Recovery (CRL Publication Failures)
B.1 Immediate Remediation
Shell: Either (Admin)
certutil -crl
Shell: GUI/Standard — Copy CRLs to all CDP endpoints (HTTP/File)
Shell: Either (Admin)
certutil -url http://<your-cdp>/CertEnroll/RootCA.crl
B.2 Emergency Rollback
Shell: GUI/Standard — Restore previous known-good CRL to the HTTP CDP if it is still within its validity (Next Update). Then regenerate and republish a corrected CRL ASAP.
B.3 Client Cache Clearing (targeted troubleshooting)
Shell: Either (Admin)
certutil -urlcache crl delete
certutil -urlcache ocsp delete
Appendix C — Completion Checklist
[ ] SubCA backup completed
[ ] Renewal request generated
[ ] Request signed by Root
[ ] Root CRLs generated
[ ] CRL URL validation successful
[ ] Renewed SubCA cert installed; services restarted
[ ] SubCA CRLs published; AD objects published
[ ] Client validation successful
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
20 March 2026
UID
ibm17267056