Setup an additional subCA with existing key

Butters101 21 Reputation points
2020-11-23T09:26:30.39+00:00

Hello everybody,

we have a two tier CA with an offline RootCA and two subordinate CAs (Lets call them Sub1 and Sub2). Now we would like to add an additional SubCA and then remove Sub1. What happens when I setup the new SubCA with the existing private from Sub1? Can the new SubCA confirm certificates issued by Sub1? Do the certificates issued by Sub1 remain valid when I remove Sub1? I am not sure in which cases should I choose new / existing key?

Thanks you for clarify

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,090 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,718 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 8,866 Reputation points MVP
    2020-11-23T10:12:13.27+00:00

    What happens when I setup the new SubCA with the existing private from Sub1?

    this is not the right way to do things. If you want to retain the key, then you have to migrate existing CA with all the configuration and CA database to another box. Refer to this document on migration scenarios and migration steps: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn486797(v=ws.11)


0 additional answers

Sort by: Most helpful