Webinar: PKI Insights - The Most Common Misconfigurations in Today's PKI
Schedule a Demo
Blog May 31, 2024 Active Directory, ADCS, Certificate Authority

Active Directory Certificate Services (ADCS) Certificate Authority Renewal Error

by Jake Grandlienard

Certificate Authority Migration and Renewal

In the past year many enterprises have migrated their Microsoft ADCS based PKI Infrastructure from Windows Server 2012 R2 to a newer operating system. The most common path for the migration is backup & restore to a server with the same name or backup & restore to server with a new name. Both options are supported, and both will also result in a new SID for the new CA server object in Active Directory.

Error While Renewing ADCS Issuing CA Certificate

Clients often wait until after the migration to renew the CA certificate. The PKI team logs on to the CA and generates the renewal request, gets it signed by the Policy/Intermediate or Root CA, and when the updated issuing CA certificate is installed, a misleading error will pop up.

Screenshot of Microsoft Active Directory Certificate Services error window with error 0x8007000d
Figure 1: Error caused by access issue in CA object in AIA container
The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)

 

Person sitting at a laptop while viewing the PKI Spotlight Dashboard.

Expand Your PKI Visibility

Discover why seeing is securing with revolutionary PKI monitoring and alerting.

Learn More About PKI Spotlight®

The Cause and Solution

The error is misleading, and I have seen clients renew the CA certificate multiple times based on the misleading error message. First, if you have seen this message the renewal was successful at the CA level, but the CA was unable to update the CA object in Active Directory in the AIA container. This can be caused by a couple of different reasons.  I mentioned above there is a new SID for the new CA server, even if the CA common name is the same. This will cause the current CA server object to not have access to update the CA object in the AIA container.

You want to make sure the current CA server’s machine account has access to the object. You also want to make sure the user logged on during the installation of the updated CA certificate is a domain or enterprise Administrator, or in a delegated group that has full control for installing the new certificate on the CA.

Screenshot of Active Directory Sites and Services and CA Properties windows with CA01$
Figure 2: Active Directory Sites and Services (dssite.msc)

Other Considerations

There are other areas that should also be considered after a migration or issuing CA certificate renewal. The certificate revocation list (CRL) as well as the Online Responder (OCSP), Network Device Enrollment Service (NDES) configuration will also need to be checked and most likely updated. If you would like an additional blog on those topics, please let me know and I will get it created and posted.

Related Resources

  • Blog People sitting in a large room full of computers
    March 7, 2024

    Why you are getting it wrong with Certificate Lifecycle Management

    Certificate Management, Certificates, CLM
  • Blog
    February 6, 2024

    PKI Insights Recap – Microsoft Intune Cloud PKI

    BYOD, Certificates, Cloud, Enrollment, NDES
  • Blog
    May 25, 2023

    Escalating from child domain’s admins to enterprise admins in 5 minutes by abusing AD CS, a follow up

    Active Directory, Certificates, Exploits, Permissions, PKI

Jake Grandlienard

Jake Grandlienard brings more than 19 years of industry experience as a senior level engineer. Jake is a subject matter expert in PKI, mobile device management software, smart card management software, and Hardware Security Module (HSM) integrations.

View All Posts by Jake Grandlienard

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *