Roughly a year ago, I showed how to configure a Self-Signed Cert, for use with Entra ID and Certificate Based Authentication. In that demonstration, the certificate was given a 12-month TTL. So, what do we do when it expires?
How to renew the Trusted Root Certificate
First of all, launch an elevated PowerShell prompt. Type certlm.msc, this will open the Certificate Manager.
Expand the Personal/Certificates folder and you will see your original, expired Root Certificate.
From the PowerShell window we still have open, we will run the code shown below.
If you update the $ExistingCertSubject variable, to contain the Subject name of your previous cert (which in my example is Vini-RootCA), then the code below will grab the Thumbprint of your cert, and generate a new cert. Line 15 in the code, shows me adding 5 years, purely for demonstration. You could change this 5 to 1 or 3 or something, or even AddYears, to AddMonths(5) for adding only 5 months.
# Get the thumbprint of the existing certificate
$ExistingCertSubject = "Vini-RootCA"
$Thumbprint = (Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*$ExistingCertSubject*" }).Thumbprint
# Load the existing certificate
$Old = Get-ChildItem Cert:\LocalMachine\My\$Thumbprint
# Create renewed certificate using same subject + 5-year validity
$New = New-SelfSignedCertificate `
-Subject $Old.Subject `
-KeyExportPolicy Exportable `
-KeyLength $Old.PublicKey.Key.KeySize `
-KeyAlgorithm $Old.PublicKey.Oid.FriendlyName `
-CertStoreLocation "Cert:\LocalMachine\My" `
-NotAfter (Get-Date).AddYears(5)
# Output
$New | Format-List Thumbprint, Subject, NotBefore, NotAfter
Upon execution of the above code, you’ll see two Certs in certlm, the original which has expired/contains the old expiry date, and the new one generated by the code above. In my example below, I’ve removed the expired cert and left the new one in place.
Next up we need to export the certificate.
Right click on your newly created Certificate and select All Tasks > Export. Click Next on the first page.
Select “No, do not export the private key” on the second page.
Leave the encoding as DER encoded binary X.509 (.CER)
Supply your export path and filename.
Now go back to the PKI Container we created earlier and click “+ Add Certificate Authority“.
Select the newly exported .CER file and specify that this CA is the root. Leave the other options as they are. (Again, if in an enterprise environment, you may need to provide CRL information, Hints etc – you will know if you need/want to do this.)
Click Save.
Delete the old/expired Cert from Entra, once you’re happy it’s safe to do so.
Next up, you may or may not need to renew the User Authentication Certificate. This is done by simply creating a new Client Authentication certificate, and can be achieved using the code outlined in the original post.
New-SelfSignedCertificate -Type Custom -Subject "Vini-UserAuth" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2","2.5.29.17={text}upn=itsjames@domain.com","2.5.29.32={text}OID=1.2.3.4.5&OID=1.2.3.4") -KeyUsage DigitalSignature -KeyAlgorithm ECDSA_nistP256 -CurveExport CurveName -CertStoreLocation "Cert:\CurrentUser\My" -Signer $CertCreation -KeyExportPolicy ExportableThis command creates a user authentication certificate called “Vini-UserAuth” located within the Personal Certificate Store of your computer. This is the “key” for the “lock” we have installed.
These steps in the original article will show you how to export this certificate for use/authentication on other devices etc.
Enjoy.
Leave a Reply