![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 41%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
When renewing a Subordinate Issuing CA certificate, the existing certificates will continue to chain up to the existing CA certificate. The process of renewing a certificate involves creating a new certificate with a new validity period while keeping the same cryptographic key and subject information. The new certificate is then signed by the same parent CA (Root CA) that issued the original certificate. This means that the certificate chain remains intact, and existing certificates issued by the Subordinate Issuing CA will continue to be trusted by non-domain joined devices until their expiration.
Non-domain joined devices do not typically have direct access to the CA infrastructure to automatically obtain the new certificate when it is renewed. As a result, you do not need to manually install the new CA certificate on non-domain joined devices immediately after renewing the Subordinate Issuing CA certificate.
Non-domain joined devices will continue to use the existing certificate issued by the Subordinate Issuing CA until their own certificate needs to be renewed. Once a non-domain joined device requests a new certificate (e.g., when the current certificate expires or a new certificate is needed for a different purpose), the Subordinate Issuing CA will issue a new certificate using the renewed CA certificate. This new certificate will then be part of the updated certificate chain, ensuring continuity of trust.
However, it is essential to plan for the renewal of certificates on non-domain joined devices in a timely manner to avoid any disruptions due to expired certificates. Depending on the use case and the validity period of the certificates, you may need to update the certificates on these devices proactively or configure them to check for certificate updates from the CA infrastructure periodically.
In summary, renewing the Subordinate Issuing CA certificate does not immediately impact the existing certificates on non-domain joined devices. They can continue to use the current certificate until their own certificate needs to be renewed, at which point the new CA certificate will be used in the certificate chain.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
--If the reply is helpful, please Upvote and Accept as answer--