New CA and renewal process for old certificates - do I need cross-certification?

Question

Hey Everyone,

One classic example, currently got 1 RootCA that is provides certificates. I am building new infrastructure with OfflineRoot, EnterpriseSubordinate and CRL server. Done some tests and what I am thinking of are user certificates, for instance EFS ones or s/mime. Neiher EFS or S/MIME if not used - just certiifcates are distributed.

I plan to install new PKI infra, renew certs for AD, websites etc. and decom the old RootCA.

Old EFS, S/MIME certificates will still be there on users PCs.

After the old EFS,s/mime certificates become unavailable - will users' PCs request new certificates from the new CA? I understand that if they have encrypted something they might not decrypt it without the old CA, but as mentioned noone use it.

My main concern is: after for instance the old EFS certs from old CA expire, PC will get the new Cert from the new CA or not? Maybe in this case I need to do this cross-certification?

J

Answer 1

Hi,
Welcome to share here!
If you want the PC/USERS request new certificates from the new CA automatically, you need to configure the GPOs to deploy it.
When there are available templates from the new CA ,they will connect the new CA.
At the same time ,the old PKI still works.
Once you make sure the new CA can work well , you can revoke the certificates from the old ca and decom the old CA
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/decommission-enterprise-certification-authority-and-remove-objects
Best Regards,

Answer 2

Hey @Anonymous - thank you.

This is what I was looking for, why I didn't think of setting the default CA for user with GPO/Intune...

Anyway, really appreciate, now I know what to do.