Microsoft subordinate CA has multiple certs, which is in use?

Mohamed Roushdy 40 Reputation points
2024-04-04T21:12:40.6466667+00:00

Hello,

I have 2 questions please. Long story short, I had to issue a new CA certificate for one of our subordinate CAs, the root CA is an offline CA. (two-tier PKI scenario)

My questions are:

1- Now, the subCA has 2 valid certs, whenever a new cert is going to be issued, which cert will the CA server use to sign it? the most recent one by default?

2- I use SCEP for cert-based authentication for the end-users's devices, and already pushed via our MDM clud-based solutions (Intune, JAMF, and Cisco ISE). is it required to upload the new cert of that intermediate CA to the MDM solutions? or the existing one (which is still valid) is enough as long as the rootCA cert is the same? keeping in mind that the new cert of the subCA was generated using the same private key used for the old certificate. The change I have made to the new certificate is the CDP path (the old CDP path(es) will be decomissioned)

I hope both questions are clear.

Best Regards,

Mo

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,791 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,632 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 24,981 Reputation points Microsoft Vendor
    2024-04-05T02:50:26.9166667+00:00

    Hello Mohamed Roushdy,

    Thank you for posting in Q&A forum.

    Here are the answers for your references.

    1- Now, the subCA has 2 valid certs, whenever a new cert is going to be issued, which cert will the CA server use to sign it? the most recent one by default?
    A1: Based on my knowledge, both two SubCA certificate are not expired, and both two SubCA certificates issued certificates to end entities, both two SubCA certificates are used.

    For example,

    SubCA certificate1 issued certificate to user1.
    SubCA certificate1 issued certificate to PC1.
    SubCA certificate2 issued certificate to user2.
    SubCA certificate2 issued certificate to PC2.

    User1 and PC1 will use SubCA certificate1.
    User2 and PC2 will use SubCA certificate2.**

    2- I use SCEP for cert-based authentication for the end-users's devices, and already pushed via our MDM clud-based solutions (Intune, JAMF, and Cisco ISE). is it required to upload the new cert of that intermediate CA to the MDM solutions? or the existing one (which is still valid) is enough as long as the rootCA cert is the same? keeping in mind that the new cert of the subCA was generated using the same private key used for the old certificate. The change I have made to the new certificate is the CDP path (the old CDP path(es) will be decomissioned).

    A2: If you use the intermediate CA issues certificate to end-users's devices on your MDM clud-based solutions (Intune, JAMF, and Cisco ISE), you need to upload the new cert of that intermediate CA to the MDM solutions.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.