New CA and renewal process for old certificates - do I need cross-certification?

Pawel Jarosz 41 Reputation points

Hey Everyone,

One classic example, currently got 1 RootCA that is provides certificates. I am building new infrastructure with OfflineRoot, EnterpriseSubordinate and CRL server. Done some tests and what I am thinking of are user certificates, for instance EFS ones or s/mime. Neiher EFS or S/MIME if not used - just certiifcates are distributed.

I plan to install new PKI infra, renew certs for AD, websites etc. and decom the old RootCA.

Old EFS, S/MIME certificates will still be there on users PCs.

After the old EFS,s/mime certificates become unavailable - will users' PCs request new certificates from the new CA? I understand that if they have encrypted something they might not decrypt it without the old CA, but as mentioned noone use it.

My main concern is: after for instance the old EFS certs from old CA expire, PC will get the new Cert from the new CA or not? Maybe in this case I need to do this cross-certification?


Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,306 Reputation points Microsoft Vendor

    Welcome to share here!
    If you want the PC/USERS request new certificates from the new CA automatically, you need to configure the GPOs to deploy it.
    When there are available templates from the new CA ,they will connect the new CA.
    At the same time ,the old PKI still works.
    Once you make sure the new CA can work well , you can revoke the certificates from the old ca and decom the old CA
    Best Regards,

    1 person found this answer helpful.
    0 comments No comments

  2. Pawel Jarosz 41 Reputation points

    Hey @Fan Fan - thank you.

    This is what I was looking for, why I didn't think of setting the default CA for user with GPO/Intune...

    Anyway, really appreciate, now I know what to do.