![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 41%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
1. How does the Root CA contact the Subordinate CA for renewals? The Root CA is typically offline, so it does not directly contact the Subordinate CA (Issuing CA). Instead, when the Subordinate CA needs a renewed certificate, the process follows a manual certificate signing request (CSR) workflow:
Steps for certificate renewal from Root CA to Subordinate CA:
- Generate a Certificate Signing Request (CSR) on the Subordinate CA:
- On the Subordinate CA, you generate a renewal request (
.reqfile). - This request is manually copied (e.g., via USB) to the Root CA.
- On the Subordinate CA, you generate a renewal request (
- Manually Sign the Request on the Root CA:
- The Root CA, despite being offline, can still process signing requests.
- The request is imported into the Root CA, where a new certificate is issued.
- The signed certificate (
.crtfile) is manually copied back to the Subordinate CA.
- Import the Signed Certificate on the Subordinate CA:
- The Subordinate CA imports and applies the new certificate.
- This completes the renewal process.
The Root CA never needs to directly communicate with the Subordinate CA; everything is done via manual, air-gapped processes to maintain security.
2. Does Active Directory need to detect the Root CA? No, Active Directory does not need to "detect" the Root CA in order for you to set up a Subordinate CA. However, certain CA-related settings and certificates do get published to Active Directory to facilitate PKI usage.
Key Considerations:
- Root CA is not domain-joined, so it does not register itself in AD.
- Subordinate CA is domain-joined, so it:
- Publishes its CA certificate and CRL (Certificate Revocation List) to Active Directory.
- Can be configured via Group Policy to distribute certificates to domain-joined clients.
If your AD environment needs to trust the Root CA, you must manually distribute the Root CA certificate to all domain-joined machines (via Group Policy or manual import).
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin