1. Log on to the system as a Certification Authority Administrator.
2. Open Certification Authority.
3. In the console tree, click the name of the certification authority (CA).

   Where?

   • Certification Authority (Computer)
   • CA name
4. On the Action menu, point to All Tasks, and click Renew CA Certificate.
5. Do one of the following:
   • If you want to generate a new public and private key pair for the certification authority's certificate, click Yes.
   • If you want to reuse the current public and private key pair for the certification authority's certificate, click No.
6. Get the CA certificate from the parent CA. For more information, see Notes.

Notes

• XOX
• To obtain the certificate for a subordinate CA, you must submit a certificate request to a parent CA. The procedure for doing so differs depending on whether the parent CA is available online.

  • If a parent CA is available online

    1. Click Send the request directly to a CA already on the network.
    2. In Computer Name, type the name of the computer on which the parent CA is installed.
    3. In Parent CA, click the name of the parent CA.

  • If a parent CA is not available online

    1. Click Save the request to a file.
    2. In Request file, type the path and file name of the file that will store the request.
    3. Obtain this subordinate CA's certificate from the parent CA.

       The procedure for doing this will be unique to the parent CA. At a minimum, the parent CA should provide a file containing the subordinate CA's newly issued certificate and, preferably, its full certification path. For the procedure to submit a certificate request using a file to a Microsoft CA, see Related Topics.

       If you get a subordinate CA certificate that does not include the full certification path, the new subordinate CA you are installing must be able to build a valid CA chain when it starts. Thus you must install the parent CA's certificate in the Intermediate Certification Authorities certificate store of the computer (if the parent CA is not a root CA), as well as the certificates of any other intermediate CA in the chain, and you must install the certificate of the root CA in the chain into the Trusted Root Certification Authorities store. These certificates should be installed in the certificate store before you install the CA certificate on the subordinate CA you have just set up.

    4. Open Certification Authority.
    5. In the console tree, click the name of the CA.

       Where?

       • Certification Authority (Computer)
       • CA name
    6. On the Action menu, point to All Tasks, and then click Install CA Certificate.
    7. Locate the certificate file received from the parent certification authority, click this file, and then click Open.

1. Open Command Prompt.
2. Type:

   certutil -renewcert

Value	Description
renewcert	Instructs the CA to renew its certificate.

Notes

• XOX
• To view the complete syntax for this command, at a command prompt, type:
  

  certutil -renewcert -?