This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 38%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Offline Root CA server has been deleted and it has almost been a month!! Root CA certificate will expire 2036, AIA location #1 will expire on 2036 and CDP location will expire on 2026. What are the things I must do to check that certificates are still working and will have an ample time to rebuilt the PKI infra (IF this is the last option) ?
We have 2 tier hierarchy and as far I can tell the issuing CA is still issuing certificate and revoking.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Terra •
When the CA root server is offline , you should renew the CDP manually when it wiil be expired.
It's recommended to keep CA root offline but not deleted it. You will need restart it when the root certificate or CDP expire to renew them.
Don't forget to backup the CA root server to be able to restore it if it is deleted by mistake.
Please don't forget to accept helpful answer
I can see 2 CDP location, root CA CDP and Issuing CA CDP. Root CA CDP expires on 2026 while Issuing CA CDP expires on Dec 27,2023.
Issuing CA CDP interval is every 9 days and it shows here effective date:12-20-2023 and expiration date: 12-29-2023 (as far as I can remember we are not renewing the Issuing CA CDP for almost a year already)
@Terra •
So you can wait until CDP location expiration date 2026.
After this, If you cannot restore the root CA server to renew CDP location , you should rebuild a new root CA server and reconfigure all other certificates issued from the old root certificate and this time try to backup to avoid this situation
Please don't forget to accept helpful answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Terra,
Thank you for posting in Q&A forum.
Based on the description above, I understand you have two-tier PKI, one offline standalone root CA server and one online enterprise issuing CA server.
Based on "Offline Root CA server has been deleted", how did you delete Offline Root CA server? Did you mean you delete root CA certificate or root CA server?
If you still need the two-tier PKI, you cannot delete the root CA server or delete root CA certificate.
If you have already deleted the root CA server and you have the back up of the root CA, you can try to rebuild one server and install offline standalone root CA server and restore it.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
Based on "Offline Root CA server has been deleted", how did you delete Offline Root CA server?
The VM that is hosting the Root CA server has been deleted and no backup nor able to restore it.
Based on our architecture design, it will be a 2 Tier PKI. Our root CA certificate shows CDP location expiration on 2026 but my Issuing CA CDP location will be on Dec 29,2023 - will this be auto renew?
The CRL publication interval is every 9days and we lost our root CA server almost a month already but so far haven't seeing any issues (or maybe there is already an issue but no one is reporting), any checks or verification steps I need to do?
