![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 75%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
20,219 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 19%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBW%3C/text%3E%3C/svg%3E)
Hello Ramkumar,
Thank you for posting question on Microsoft Windows forum!
You can upgrade the root CA key from 2048 bits to 4096 bits by modifying the CAPolicy.inf file and updating the RenewalKeyLength parameter, without needing to completely rebuild the CA. However, there are some critical steps and limitations to be aware of.
1、 Modify the CAPolicy.inf File
On the offline root CA, edit %SystemRoot%\CAPolicy.inf (create the file if it doesn’t exist):
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=4096 ; New key length
RenewalValidityPeriod=Years ; Optional: defines the renewal validity period unit
RenewalValidityPeriodUnits=10 ; Optional: sets the new CA certificate validity (e.g., 10 years)
You can learn these settings more at Microsoft site.
2、Then you can start the root certificate renewal process as shown in the image. Please note that the CA will use the newly created root certificate. So, if your internal CA is standalone or offline CA, you would need to publish the newly created root certificate to the client root certificate store by running certutil command.
certutil -f -dspublish <the path of CA certificate> RootCA
If your CA is an enterprise CA, then it will publish the root certificate automatically and you need to do nothing.
Hope the above information is helpful to you.