Share via

Process of renewal of subordinate certificate of certificate server.

Fahad Noaman 151 Reputation points
2024-05-28T07:51:55.08+00:00

Hi Team.

I have a few queries regarding our subordinate certificate server's upcoming certificate expiration. We need to renew the expiring certificate, but I'm concerned since it is integrated with many other services.

We have an offline root CA and three subordinate certificate servers joined to the domain. After renewing and installing the new certificate, do we need to remove the old certificate? The old certificate is manually added to multiple places, such as appliances on Linux servers. Will these services be impacted if the old certificate is removed? Additionally, for new certificate requests, will they be validated based on the new certificate or the old one... if we keep the old certificate?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,563 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,136 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
526 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jing Zhou 4,670 Reputation points Microsoft Vendor
    2024-05-28T09:56:37.89+00:00

    Hello,

    Thank you for posting in Q&A forum.

    To ensure a smooth certificate renewal process, the following are some of our suggestions:

    Considering that old certificates are manually added to multiple locations (such as devices on Linux servers), it is recommended to keep the old certificates during the transition period. If the old certificate is deleted, any services that rely on the old certificate may be immediately affected. It is recommended to keep both the old and new certificates during the transition period to ensure that all services can seamlessly switch to the new certificate.

    During the process of renewing a certificate, old certificates are usually not immediately deleted. Old certificates can remain valid until their natural expiration. This allows services and applications enough time to transition to the new certificate.

    The new certificate request will be validated based on the new subordinate CA certificate. If the old certificate is still retained and valid, the system and services will verify it based on the certificate chain.

    Best regards,

    Jill Zhou

    If the Answer is helpful, please click "Accept Answer" and upvote it.