Not Monitored
Tag not monitored by Microsoft.
36,243 questions
Renewing Intermediate CA certificate - PKI
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 1%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
TedBot
41
Reputation points
Hi Guys.. I am pretty new to PKI and we have an upcoming activity to renew Intermediate CA.
This is 3 tier PKI hierarchy -- Root(offline) -> Intermediate (offiline) CA -> Issuing (online) CAs
With regard to renew Intermediate CA (offline) certificate renewal - Once certificate renewed from RootCA (using new Key Pair) and installed on Intermediate CA --
New Cert/Cross Sign Certs
- Will this create cross-sign certificates(0-1, 1-0) as well in addition to the new cert under CertSrv >> CertEnroll folder ?
- if yes then do we need to publish the new Cert and these cross-sign certificate as well using "certutil -f -dspublish".
- or only copying the new Cert file to AIA/CDP will work --- how to deal with this cross-sign certificates .. are they also need to be copied to AIA/CDP publish locations
New CRL
- For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.
- Coping the new CRL to AIA/CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work