PKI Certificate Expiry SDP

Symptoms

In the PKI Interactive Diagnostic ResultReport.xml report file the issue of "Recently expired or soon to expire certificates were detected" was seen.

Cause

This happens as a result of the certificate expiry detection in the PKI Interactive Diagnostic having looked through that computer's certificate stores and discovered at least one certficate that has expired within 15 days, or will expire within 15 days.


Certificates are created with a specific end time and date when they are issued. When they expire any services which rely on them in order to function will also fail.

Resolution

This problem can be resolved by first determining what the certificate which has expired or will soon expire is being used for. The diagnostic report provides critical information for discovering what that certificate can be used for.

Items which can help you understand what the certificate is being used for are:
  • What Key Usage or Enhanced Key Usage items are defined for this certificate. These fields indicate specific allowed uses for a certificate and are usually a strong indication of what a certificate is being used for.
  • What store the certificate is in.
  • The issuer of the certificate.
  • A subject name or subject alternative name. For example, web sites using certificates for SSL require the subject name to match the site name.
  • If issued by an Enterprise Certificate Authority the template used for the certificate issuance will have information in it. Template name can often indicate intended use of the certificate.
  • Certificates which were not issued by a certificate authority are called self signed certificates. If the certificate is self signed the field will indicate 'true'.
  • Certificate authority certificates are indicated as being so, as are subordinate certificate authority certificates.
  • The thumprint and serial number of certificates (items which are always unique for any individual certificate) are shown in order to indicate unique information about that certificate in case the certificate must be searched for in MMC or other method.

Once the type and use of the certificate is determined you will need to replace the certificate, and then configure the application(s) or service(s) which use the certificate to use the new certificate. The application or service configuration will be unique and you will likely need to consult documentation (KB, TechNet or MSDN) documentation or collaborate with another engineer who specializes in that technology to do that final step.

More Information

The information below is a sample of a soon to expire certificate. This certificate is a root certificate authority certificate. Note that certificate authority certificates may appear twice in the ResultReport.xml-once with a private key and another time without.

If a field is blank in the result output for a certificate then that certificate did not have that field defined in it. Not all fields are required to be defined in a certificate. That is governed by the initial certificate request and any certificate template which was used.


Soon-to-expire certificate:1
Has Private Key:False
Store:CA
Serial Number:57A2A96D39C1A3A240F6633C3A021E20
Thumbprint:DD12D6638159E285B02467B5973E04D4710B5515
Issuer:CN=contoso-WIN-49H89RJ0MQQ-CA, DC=contoso, DC=com
Not Before:04/20/2012 12:43:25
Not After:04/27/2012 12:53:23
Subject Name:CN=contoso-WIN-49H89RJ0MQQ-CA, DC=contoso, DC=com
Self-Signed:False
Root CA certificate:True
Non-Root CA certificate:False
Subject Alternative Name:
Key Usage:Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Enhanced Key Usage:
Certificate Template Information:
內容

文章識別碼:2705501 - 最後檢閱時間:2012年10月24日 - 修訂: 1

意見反應