When you setup the Certification Authority on a Windows server, a certificate for the CA is created, which will be expired after 5 years (default). You can extend the CA’s life beyond the end date of its original certificate. You can renew the CA with the following command:
certutil -renewCert ReuseKeys (renews the CA with the existing key pair)
or
certutil -renewCert (renews the CA with a new key pair)