Tasks after renewing CA Certificate

Question

Tasks after renewing CA Certificate

ErazerMe 46

Hello all,

caused by the expiration date of our CA certificate, we want to renew the CA certificate with the same key.
My question is now: how does the new Root-CA-Certifcate be published to all our domain-joined windows clients?
Is there a out-of-the-box function, like all domain-joined objects will aks the domain if there is a root and automatically trust this root-certificate and also the new root-cert?
Or is this a manual task via a GPO which was done before and now I have to identify the GPO + update the root-cert in this GPO?

Also, is there a best-practice for renewing the root-certifcate?
My first thought was: It's not a big thing, but the more I think about it I see the risk that some functions (validation of certificates) will no longer work properly with some clients.

Anonymous

2021-07-30T02:29:47.033+00:00

Hello @ErazerMe ,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Anonymous

2021-08-02T03:06:43.67+00:00

Hello @ErazerMe ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

2 answers

Your answer

Anonymous

2021-07-30T02:29:47.033+00:00

Hello @ErazerMe ,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Anonymous

2021-08-02T03:06:43.67+00:00

Hello @ErazerMe ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 1

Hello @ErazerMe ,

Thank you for posting here.

Here are the answers for your references.

how does the new Root-CA-Certifcate be published to all our domain-joined windows clients?
A1: If the root CA is an offline root CA (one-tier offline standalone root CA), then you must publish the root certificate into AD by running the following command.

certutil -f -dspublish <the path of CA certificate> RootCA

This will then use the autoenrollment settings to distribute the certificate to the trusted root store of all domain joined clients.

If the root CA server was joined to the domain (one-tier online Enterprise root CA server), this will eventually happen automatically, but it can take up to 8 hours (default GPO application time). To force the issue, reboot a client computer and it will pick up the root CA certificate.

Is there a out-of-the-box function, like all domain-joined objects will aks the domain if there is a root and automatically trust this root-certificate and also the new root-cert?
A2： See A1.

Or is this a manual task via a GPO which was done before and now I have to identify the GPO + update the root-cert in this GPO?
A3: See A1, if the root CA is an offline root CA (one-tier offline standalone root CA), you can run the command I mentioned above to publish root CA certificate to all AD forest members including all your domain-joined windows clients and all your domain users).

Or if the root CA is an offline root CA (one-tier offline standalone root CA), you can also edit the GPO if there is such an existing GPO (I think the method can publish root CA certificate to all your domain-joined windows clients).

Also, is there a best-practice for renewing the root-certifcate?
A4: Logon CA server using Administrator account.
Open Certification Authority.
Right click CA ->All Taska->Renew CA certificate->Yes (stop CA service)-> No (Do you want to generate a new public and private key pairs).

Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

ErazerMe 46 Reputation points

2021-07-26T13:38:06.343+00:00

Thanks for your detailed information.

According your steps, I was still thinking about following topic: When I renew the Root-Certificate (with same keys), is there any need for third-party-application/systems to also renew the root-certificate or are they able to use the new one?
For example: we have non-domain-joined Windows clients, where the root-certificate was added manually into the certificate store. As we renew the root-certificate now, is there also a need to add the "newly" created root-certificate to that client or is there a relationship between "old/expired root-cert" and "newly created root-cert" (we still use same key-pair).
We have a lot of non-windows systems/apps which the root-certifcated was added manually - the point is, do we have to add the new root-certifcate again to all systems or will they by able to work with new certificates (created from new root-cert) without added the new root-certificate?

A little bit complicated, but hopeing you understand my question ;)
Greg Lynch 0 Reputation points

2023-04-07T14:45:18.9633333+00:00

Thank you, Daisy! I had the same question about follow-on problem after renewing, and your answer was perfect for me. Cheers

Answer 2

Hello @ErazerMe ,

Thank you for your update.

According your steps, I was still thinking about following topic: When I renew the Root-Certificate (with same keys), is there any need for third-party-application/systems to also renew the root-certificate or are they able to use the new one?
A1: Yes, if there is any third-party-application/system to use the root-certificate or use the certificates issued by the root-certificate, you need to make third-party-application/system bind new root-certificate or put new certificate to third-party-application/system so that third-party-application/system trusts new root certificate.

Because once the root cert is renewed, it will use new root certificate when renewing certs issued by root cert or when users or computers or apps request new certs.

For example: we have non-domain-joined Windows clients, where the root-certificate was added manually into the certificate store. As we renew the root-certificate now, is there also a need to add the "newly" created root-certificate to that client?
A2: Yes if you have such non-domain-joined Windows clients and use certificates issued by root certificate.

Because once the root cert is renewed, it will use new root certificate when renewing certs issued by root cert or when users or computers or apps request new certs.

or is there a relationship between "old/expired root-cert" and "newly created root-cert" (we still use same key-pair).
A3: New renewed root cert has Previous CA certificate hash.

We have a lot of non-windows systems/apps which the root-certifcated was added manually - the point is, do we have to add the new root-certifcate again to all systems or will they by able to work with new certificates (created from new root-cert) without added the new root-certificate?
A4: See A1.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Share via

Tasks after renewing CA Certificate

2 answers

Your answer