AD CS enrollment expired or invalid date issue
Posted by knight8654@reddit | sysadmin | View on Reddit | 11 comments
I’m having an odd issue with our AD CS enrollment on devices. Last week we started getting an error when enrollment a device with “The date in the certificate is invalid or has expired. 0x80072f05 Error_WINHTTP_SECURE_CERT_DATE_INVALID. I checked the date/time no issues and the CA doesn’t expire until 2032 ?? Has anybody encountered this?
KStieers@reddit
Look at the whole chain of the issued cert, do you jave an issueing CA, did its cert expire?
knight8654@reddit (OP)
Nope all the certificates seem fine and are not expired. Here is a picture reference
KStieers@reddit
That's not the issued cert...looks like you aren't getting that far...
I would check the cert on the IIS box that you blocked out.
knight8654@reddit (OP)
I looked in IIS and the cert is valid on the binding default site
unauthorizeddinosaur@reddit
Go to the site https://servername in a browser and look at your certificate.
unauthorizeddinosaur@reddit
Run this from a system on the domain and check your dates certutil -enterprise -viewstore Root
If it has expired, you need to renew the CA cert on your CA.
knight8654@reddit (OP)
It shows I have until 2036
unauthorizeddinosaur@reddit
Apologies, I just reread your error. I agree with u/KStieers you need to check the https cert on your CA. Go to the https:// and check the certificate.
Jeff-IT@reddit
Is this a new setup?
Asking cause I just setup an AD CS and my certs were going bad because the default CRL period is set to one week.
knight8654@reddit (OP)
No, ran fine until about a week ago
One-Environment2197@reddit
Have you checked the PKI console to see what that setting is set to?