Replacing CA without revoking certs to retain the trust of issued certs

Anonymous
2020-12-02T04:04:21.213+00:00

I'm planning to decommission a current Enterprise root CA (single tier) from my lab and add a new Enterprise Root CA (also a single tier).
If I was to decommission the existing CA but without revoking the issued certs, would the machines on the domain still trust the issued certs that were issued from that CA? It's a lab env't so I'm not too concerned about security.

TIA

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,838 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,121 Reputation points MVP
    2020-12-02T07:54:57.197+00:00

    If I was to decommission the existing CA but without revoking the issued certs, would the machines on the domain still trust the issued certs that were issued from that CA?

    they will if you issue a long-valid CRL. Ideally, CRL validity should match or be greater than CA certificate expiration time. In this case, clients will be ok in using their CA even if it is already decommissioned.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Anonymous
    2020-12-03T01:10:13.277+00:00

    Thanks, the CRL checking is disabled so it should be all good then.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.