Invalid algorithm specified when renewing subordinate CA with same key

Author by Nathan Lasnoski

I was working on a certificate services environment where I wanted to renew the certificate of an existing subordinate certificate authority.  I went about using the typical procedure for renewing the certificate, found here:   I ran into a really strange issue, where when attempting to renew the certificate with the same key I received no results.  I was navigating in the certificate authority interface, selected "Renew CA Certificate", selected to use the existing key pair, and was expecting to be able to choose to save the request to the local disk.  Instead it simply restarted the certificate services.   I then opened a command prompt as an administrator and ran "certutil -renewCert ReuseKeys".  This provided the output of "invalid algorithm specified".  I attempted to correct the issue by changing cryptographic providers on the server, disabling UAC, and using different users.  I tested a similar process on another server and it worked fine.   I finally had to generate a certificate using a new key.  I believe that there was something wrong with the original certificate's cryptographic provider that was preventing the original key from being used.  In this case the new key was requested and fulfilled without error.  Although I had to use a new key, it ultimately allowed me to move on.   To renew a certificate with a new key, either use "certutil -renewCert", or in the certificate authority interface select "Renew CA Certificate" and select to use new keys.  The certificate authority will now issue certificates with the renewed / new certificate, vs. the old certificate.  The old certificate however will continue to be valid until the expiration date, unless it is expired and published in the CRL.   Happy certifying!   Nathan Lasnoski

Nathan Lasnoski

Vice President of Solutions