When a root certification authority (CA) certificate is renewed, both the original root certificate and the renewed root certificate continue to be important in the public key hierarchy. The original root CA certificate remains the ultimate foundation of trust for the hierarchy and helps to validate the certificate chains for all certificates that have been issued under the original hierarchy. The renewed root CA certificate provides the foundation of trust for all certificates that are issued in the hierarchy from the renewal date forward.
To support these scenarios, a pair of cross-CA certificates are also created to establish the trust relationship between the original and renewed root certificate:
The first cross-certificate verifies that the original root CA certificate trusts the renewed CA certificate.
The second cross-certificate verifies that the renewed CA certificate trusts the original root certificate.
Stand-alone CAs generate self-signed cross-certificates when CA keys are changed. A cross-certificate is generated for each key transition, for the period where the lifetime of each root certificate overlap.
Create a missing cross-CA certificate
When a root certification authority (CA) certificate is renewed with a new key, the CA automatically generates cross-certificates between the old and new CA certificates. If a cryptographic failure occurred while the cross-certificate was being signed, you may be able to resolve the issue by correcting the extension conflict. Otherwise, enable CryptoAPI 2.0 Diagnostics to gather additional troubleshooting information.
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Resolve an extension conflict
To resolve an extension conflict:
Click Start, type mmc, and then press ENTER.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.
Click Computer account, and then click Next.
Select the computer hosting the CA, click Finish, and then click OK.
Click the Details tab, and click Show: Extensions only.
Double-click the previous CA certificate, and view the configured extensions for this certificate.
Compare the extensions in the latest CA certificate to the extensions in the previous CA certificate.
Correct any mismatch between extensions by reconfiguring the certificate request and submitting a new certificate request.
Note: For information about configuring a custom certificate request, see "Advanced Certificate Enrollment and Management" (http://go.microsoft.com/fwlink/?LinkID=74577).
Enable CryptoAPI 2.0 Diagnostics
To enable CryptoAPI 2.0 Diagnostics:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Event Viewer.
In the console tree, expand Event Viewer, Applications and Services Logs, Microsoft, Windows, and CAPI2.
Right-click Operational, and click Enable Log.
Click Start, point to Administrative Tools, and click Services.
Right-click Active Directory Certificate Services, and click Restart.
Look for any CA certificate verification or chaining errors. Resolve any errors, and then restart the CA again.
If the the extensions are correct and CA certificate verification and chaining are correct, the missing cross-CA certificates should be generated automatically when the CA restarts.