Issuing CA Cert Renewal

Question

Issuing CA Cert Renewal

Nik Perisa 26

Currently running Windows server 2012 our AD environment

We have an online Root CA and its certificate expires in 2031.

We have 2 issuing CA's and their certs expire early next year.

Is this all i need to do: https://www.risual.com/2014/05/renew-issuingsubordinate-ca-certificate/

Also, do i need to push out the new renewed cert to all domain joined devices?

I'm guessing 3rd party devices with a cert will need to be renewed?

Mau-5945 1 Reputation point

2021-10-29T15:07:06.157+00:00

Hello,

we have the same situation, could u please provide the solution you performer in order to renewall the issuing CA?

BR

Accepted answer

1 additional answer

Your answer

Mau-5945 1 Reputation point

2021-10-29T15:07:06.157+00:00

Hello,

we have the same situation, could u please provide the solution you performer in order to renewall the issuing CA?

BR

Answer 1

Vadims Podāns 9,186 MVP

The article you are referencing is not very correct. It suggest to not generate new key pair during renewal, which is bad choice. You SHALL ALWAYS generate new key pair during CA renewal regardless of what is the reason for renewal. The rest looks legit.

Also, do i need to push out the new renewed cert to all domain joined devices?

no. Issuing CA is not a trust anchor, so is not required to be pushed to any device as long as AIA extension is properly configured. But in any case, Enterprise CA will automatically push itself to all AD forest members.

I'm guessing 3rd party devices with a cert will need to be renewed?

only device certs must be renewed because they all are about to expire.

JT 1 Reputation point

2021-11-12T15:40:02.243+00:00

There is nothing wrong or incorrect, etc if you renew with the EXISTING key pair (unless the keys are compromised) or the existing CRLs are extremely large.
It is an administrative decision you need to make.

Renew with new key:
Any previously issued cert will continue to chain to the previous CA cert. Newly issued certificate will chain to the renewed CA cert with the new key.

Renew with same key:
Nothing changes - the new cert will contain the same public and private key pair

The renewed online issuing Enterprise CA certificate will publish its new CRT and CRL to AD (LDAP) if it is configured to do so on its extensions configuration.
If you have any applications or end entities that are NOT AD AWARE, you would be using OCSP or a HTTP crl repository. You will have to manually update the http location.
In addition, if computer side auto enrollment is configured and applying the Certificate stores in AD will sync with the domain joined computers.

Answer 2

Hi,

In domain, CA will automatically publish new certificate to AD and AD forest, clients will automatically trust it. As the result all previously issued certificates will chain up to new CA cert without any changes.
Regarding 3rd party devices , i would recommend you check the information with the devices provider or you can check it through the MMC if the new certificated will be installed automatically.
Following link for your reference:
https://www.sysadmins.lv/blog-en/root-ca-certificate-renewal.aspx
Please note: The given technical support contact information belongs to a third party and may vary without notice. Microsoft does not guarantee the information accuracy.

https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Best Regards,

Nik Perisa 26 Reputation points

2020-10-12T22:37:27.973+00:00

thanks everyone for your assistance. It will help with implemention.

Share via

Issuing CA Cert Renewal

1 additional answer

Your answer