SBS 2011: Repair Certificate Issues

  • Article

How to Repair Certificate Issues in Windows Small Business Server 2011, Windows Home Server 2011, and Windows Storage Server 2008 R2 Essentials

Applies To:

 Windows Small Business Server 2011, Windows Home Server 2011, and Windows Storage Server 2008 R2 Essentials

Background 

A certificate is a critical system resource. The basic system identity functionality depends on the certificate to validate the integrity of the services and its functionalities. Users should not manually modify or remove a certificate.

Each certificate has a start date and end date range. A certificate will be invalidated if the system date and time settings are changed to a time that has already passed.

This topic provides information and instructions that can help you recover a certificate that is marked as invalid or expired.

Important:

  • If you removed the certificate or certificate role, you must reinstall your system to recover the certificate.

Symptoms

  • You are unable to open the host server Dashboard.
  • You are unable to use the Services applet (services.msc) to start services named “Windows Server <Service Name>”.
  • You see the status “This certificate has expired or is not yet valid” when you double click the backup root certificate located at %programdata%\windows server\data\CAROOT.cer and select Certificate Path.
  • You cannot connect to the server by using the Launchpad from a client computer.

Cause

If you changed the system time to a time that is earlier than the installation time, the Windows Server services cannot start because the certificate appears as expired. The Windows Server Solutions Servers depend on this certification.

Solution

Note:

  • This is an advanced administrative task. To complete this task, you must log on to the host server as Administrator. Always use the server Dashboard to perform common server management tasks.

From the server

  1. Ensure that the date and time settings shown in the system tray are current.
  2. Visit Windows Update to download and install all critical and important updates.
  3. Restart the server.
  4. After restarting the server, click Start, type mmc.exe, and then press ENTER. An empty management console appears.
  5. In the management console, click File, and then click Add/Remove Snap-in.
  6. In Add or Remove Snap-ins, in the list of available snap-ins, select Certificates, and then click Add.
  7. In Certificates Snap-in, select Computer account, click Next, and then click Finish.
  8. In Add or Remove Snap-ins, click OK.
  9. In the management console, expand Certificates (Local Computer), and then click Trusted Root Certification Authorities.
  10. In the details pane, right click Certificates, point to All Tasks, and then click Import.
  11. In the Certificate Import Wizard, browse to %programdata%\Windows Server\Bin\WebApps\Site\Resources, click CAROOT.CER, and then click Open.
  12. In the Certificate Import Wizard, click next Next until you reach the Completing the Certificate Import Wizard page, and then click Finish.
  13. Restart the server.

From client computers

  • Ensure that the date and time settings shown in the system tray are current and that they are the same as the server settings.

Notes:

  • If the date and time reverts to an invalid time after you restart the server, check the BIOS settings to ensure that the BIOS time is set correctly.
  • If your server is running Windows Small Business Server 2011, this problem will be fixed automatically when you restart the server because the certificate is stored in Active Directory.
  • A certificate backup file is created during server installation. If you remove the certificate backup file, your system may not function correctly. If this occurs, you should perform a clean installation to recover the server.