Renew MS CA certifcate and its after effects on non windows computer

Sajid Mumtaz 66 Reputation points
2024-01-08T15:02:21.3433333+00:00

Hi!

Our CA certificate will expire in a few months and we want to keep almost the same settings for the new CA like key etc.

It's easy to distribute the certificate on Windows environment but we use this CA certificate on different devices like Linux and Firewalls for LDAP communication as we use certificate-based authentication.

If we renew our CA certificate then the places where we use old CA certificate will stop working and the communication will break?

What's the best way to renew the new CA in our scenario?

Thanks for your help in this.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,662 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 28,906 Reputation points Microsoft Vendor
    2024-01-11T06:52:30.5466667+00:00

    Hello Sajid Mumtaz,

    Thank you for posting in Q&A forum.

    You had better renew the CA root certificate during downtime and if there is any problem, then we will have time to troubleshoot.

    we want to keep almost the same settings for the new CA like key etc. A: Please select "No" during renewing root CA certificate.
    How to renew the Root CA certificate on an Microsoft Active Directory ...

    If we renew our CA certificate then the places where we use old CA certificate will stop working and the communication will break?
    A: For AD domain users and AD domain devices in the domain, the new root CA certificate should be published to Trusted Root Certification Authorities automatically.
    User's image

    For other non-Windows devices or non-domain devices, you may need to install new root CA certificate manually on these devices.

    Note: Please back up AD DS service before you make any changes on CA server.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards, Daisy Zhou

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Thameur-BOURBITA 35,436 Reputation points
    2024-01-11T15:15:59.7533333+00:00

    Hi @Sajid Mumtaz

    Hi! Thanks for your reply. For non windows machines that are using CA, We will import the new CA but the current will not break before we import the new one? As per my understanding it will create a new value when I select not to generate the new key and the old communication from non windows machines will still work. Thanks

    If you don't remove old certificate , it still works until its expiration date. When you select not to generate nrw key , all old certificates generated before new root certificate still working if there still valid.


    Please don't forget to accept helpful answer

    1 person found this answer helpful.
    0 comments No comments

  2. Thameur-BOURBITA 35,436 Reputation points
    2024-01-08T15:38:56.14+00:00

    Hi @Sajid Mumtaz

    If you talk about the root certificate to be renewed, you will also have to renew all the certificates issued by the old root certificate if you don't resuse the existing key pair.

    There is of course a service interruption time to replace the old root certificate in case when you don't reuse the exusting key pair.

    .Some links should help you to get more details how you can renew your root certificate :

    Renew Windows root CA certificate

    Renewal with existing key pair


    Please don't forget to accept helpful answer

    0 comments No comments

  3. Sajid Mumtaz 66 Reputation points
    2024-01-11T15:01:26.7633333+00:00

    Hi! Thanks for your reply. For non windows machines that are using CA, We will import the new CA but the current will not break before we import the new one? As per my understanding it will create a new value when I select not to generate the new key and the old communication from non windows machines will still work. Thanks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.