PKI - Renewed CA cert and it changed CA hierarchy, I need to revert without invalidating my issues certs

Steam Candle 20 Reputation points
2023-03-02T18:26:18.7266667+00:00

I was simply trying to renew the CRL's of a level 2 Sub-CA (Server A), and instead I renewed the CA certificate on the level 2 Sub-CA (Server A) and selected the parent as the other level 2 Sub CA (Server B). So now Server A is a level 3 Sub-CA. Now it looks like this, I have the Root CA >Server B > Server A and I need to change it back. I want to note when I did this, I chose to keep the same keys.

Old Config that I want-

  (L1)Offline Root Cert
            (L2) Server A
            (L2) Server B

 

How it is configured now after I renewed the CA cert -

 (L1) Offline Root CA
            (L2) Server B
                  (L3) Server A 

               

How do I go about changing Server A to be Level 2 Sub- CA again without invalidating all the certs it has signed in the past. Ideally, I just want the server to use the old CA cert (that is still valid and lines up with the other CA servers). Once I saw the mess up, I removed the Cert templates from Server A so it would not sign any new request.

I thought about just revoking the CA cert for Server A on Server B, but I was scared that would invalidate all my currently issues certs. I also though about just renewing the CA cert again, and then taking the REQ file and getting the Root CA to sign it again. Or is there an easier way that I can just tell Server A to use the old CA cert that it was using before (and expires around the same time as server B, so easier to manage)?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,825 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,718 questions
0 comments No comments
{count} votes

Accepted answer
  1. JimmySalian-2011 41,916 Reputation points
    2023-03-02T20:34:24.5833333+00:00

    Hi,

    For this you can follow your approach of re-signing with RootCA for Server A, this is same process as if you are renewing a expired Cert or renewing before it is about to expire.If you want to use old cert you will have to revoke and remove the new Cert, this might be messy so I will not suggest or agree with this approach.

    Note: Always Backup the CA DB and Logs, also note down the steps you are trying to implement in Prod Env and proof read for sanity check.

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Steam Candle 20 Reputation points
    2023-03-16T17:03:25.13+00:00

    @JimmySalian-2011

    This was initially what we were planning to do exactly what you suggested. We ended up contacting Microsoft and they directed me to the following https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/move-certification-authority-to-another-server

    So we restored an offline copy of Server A, exported the DB and Registry, then applied it to the Online version of Server A. We did a reboot on the server and the hierarchy was resorted and everything was showing correct.

    0 comments No comments