How to Renew Root CA on Windows 2016 Standalone CA

You actually can't renew a root CA once it's expired; you would need to create a new one. But since yours is still active, you should be fine. This error might indicate that you need to check the keyset. Also, you have a couple of options for renewing:

1. Create a new certificate using the same private/public key pair, which is less secure but easier to manage since it links to existing endpoints.
2. Generate a new certificate with a new key pair, which would require you to redeploy it to all endpoints (including users and devices). This is a bit tricky, especially if you're not the administrator.

Since your root CA isn’t expired yet, I recommend going with the second option: deploy a new one and make sure it's up on all endpoints before that expiration date hits.

I totally get your situation. Since you've mentioned that you're not the administrator, it might complicate things a bit. But if you've decided to go for the new cert (option B), you'll need to work with whoever does have admin rights to ensure that this new certificate is properly deployed across your network. Also, keep in mind that if you're dealing with 802.1X setups, the CA might be hardcoded into the Network Policy Server, which means you'd need to update that configuration too. You can check the CA properties to see what's active now (cert 0, 1, and 2) to get a better idea of your next steps.