Is it the KRA certificate that has expired or the DRA certificate?
The Key Recovery Agent certificate is used to encrypt the private keys of issued certificates for key archival. It is not used for recovery of encrypted files, that is the purpose of the Data Recovery Agent.
If the KRA certificate has expired, you will need to issue a new KRA certificate. This certificate will be used to archive all future archived private keys. You will want to keep the expired KRA certificate, as it will be required to recover any keys archived before the new KRA certificate is issued. Even though the certificate has expired, it can still be used to decrypt archived keys.
If the DRA certificate has expired, you will need to issue a new DRA certificate. Then you will update group policy to reference the new and remove the old DRA from the policy. As users access their encrypted files, the DRA will be updated. You will want to export and keep the old DRA certificate, in case it is needed in the future.
When a certificate expires, it can no longer be used to sign anything. This is why the renewal process fails for an expired certificate, because you cannot sign the renewal request with an expired certificate. Expired certificates can still be used to decrypt however, as you are not signing anything.
Hope this helps, let me know if you need more information or clarification on this process.
Thanks for watching!
**if the post above has answered the question, please mark the topic as solved.