Share via

Sub CA certificate renewal

Anonymous
2024-03-12T12:32:07+00:00

Hello,

We have an 2 tier PKI with one off line root CA server and two AD integrated child CA servers. The certificate oft the children CA will expire soon and I'd like to know what is the impact if we renew them instead of replacing them with new server and certificates.

We have compter and server in our AD but also some mobile device managed an MDM.

Thank you

Stéphane

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-03-13T07:19:19+00:00

    Hi Marcosfds,

    Thank you for posting in the Microsoft Community Forum.

    In your scenario, renewing the certificates of the existing subordinate CAs instead of replacing them with new servers and certificates may have the following implications:

    1. **Complexity and Risk:** Renewing the certificates of the existing subordinate CAs may require some adjustments and changes to be made to the existing infrastructure, which could increase complexity and introduce some level of risk. Especially when synchronizing certificate chains between the offline root CA and other infrastructure, caution should be exercised to ensure the integrity and security of the certificate chain.
    2. **Certificate Chain Updates:** After renewing the certificates of the subordinate CAs, you will need to ensure that all relevant certificate chains are updated and correctly deployed in all systems relying on PKI services. This may involve installing new root and intermediate certificates on computers, servers, and mobile devices.
    3. **Risk of Business Interruption:** Updating certificate chains may potentially cause business interruptions in some systems. Therefore, it is advisable to conduct testing in a non-production environment before making any changes and ensure that appropriate rollback plans are in place to address any unexpected issues.
    4. **Mobile Device Management (MDM):** For devices managed using Mobile Device Management (MDM), you will need to ensure that updating the certificate chain does not impact device connectivity and access. Updating the root certificate in MDM configurations may be necessary to ensure continued connectivity to PKI services.

    In summary, renewing the certificates of the existing subordinate CAs may introduce some complexity and risk. However, with careful execution, appropriate testing, and monitoring throughout the process, you should be able to successfully complete the update without significant impact on business operations.

    Best regards

    Neuvi Jiang

    0 comments