PKI: can a SubCA be signed by another RootCA than the original?

Question

PKI: can a SubCA be signed by another RootCA than the original?

KnowNothingThomas 21

Hi,

Can an existing Enterprise Subordinate CA be signed by a new Root CA? This SubCA will be revoked by the original Root, as it will no longer be part of the current hierarchy. Our client may want to have the SubCA continue running without having to build an entirely new hierarchy and issue all certificates again.

Accepted answer

0 additional answers

Your answer

Answer 1

Vadims Podāns 9,186 MVP

Yes, just renew your SubCA with new key pair and sign request by another Root CA. It is supported.

KnowNothingThomas 21 Reputation points

2020-12-11T11:36:05.207+00:00

Hi, thanks for the reply!

Are there things our client need to consider for the existing issued certificates to continue working? I mean these will chain back to the original root CA CRL, so they would be invalid if we are to revoke the subca? Only new issued certificates after the SubCA has been signed by the new root will work then, so they will still have to reissue the certificate that are in use today? Or?

Thanks!
Vadims Podāns 9,186 Reputation points MVP

2020-12-14T21:22:46.6+00:00

Previously issued certificates will chain to old root. If you revoke sub CA certificate that is signed by old root, only previously issued certificates will become invalid. Newly issued certificates (after sub CA renewal) will chain to new root and won't be affected by previous sub CA certificate revocation. The only important thing is that sub CA must be renewed with NEW KEY PAIR. You will be prompted during renewal whether to generate new key. Say YES to it. No exceptions.

Share via

PKI: can a SubCA be signed by another RootCA than the original?

0 additional answers

Your answer