Expired Certification Authority Cert
If you have been using a certificate authority on your domain for five years, you may encounter a failure to automatically renew the certificate, which in turn causes it to be unable to renew certificates (because the sub-certs rely on the validity of the root, which is no longer valid due to expiring without renewal). The primary symptom will be Event ID 4319: "Active Directory Certificate Services could not create an encryption certificate. Requested By [domainaccount] A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)."
In the Certification Authority, you can right click an affected authority (specific CA server) and use Renew CA Certificate on the right click menu. If you select properties on that server, you will see your expired certs and a new cert at the bottom. When a new request comes to your server, this valid certificate will be used. You can use PKIview.msc to inspect the new configuration (you should see all tiers reading Status "OK").