Expired Certification Authority Cert

If you have been using a certificate authority on your domain for five years, you may encounter a failure to automatically renew the certificate, which in turn causes it to be unable to renew certificates (because the sub-certs rely on the validity of the root, which is no longer valid due to expiring without renewal). The primary symptom will be Event ID 4319: "Active Directory Certificate Services could not create an encryption certificate. Requested By [domainaccount] A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)."

In the Certification Authority, you can right click an affected authority (specific CA server) and use Renew CA Certificate on the right click menu.[1] If you select properties on that server, you will see your expired certs and a new cert at the bottom. When a new request comes to your server, this valid certificate will be used. You can use PKIview.msc[2] to inspect the new configuration (you should see all tiers reading Status "OK").

[1] http://serverfault.com/questions/597646/active-directory-certificate-enrollment-error
[2] http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx