Renewing Intermediate CA certificate - PKI

TedBot 41 Reputation points

Hi Guys.. I am pretty new to PKI and we have an upcoming activity to renew Intermediate CA.

This is 3 tier PKI hierarchy -- Root(offline) -> Intermediate (offiline) CA -> Issuing (online) CAs

With regard to renew Intermediate CA (offline) certificate renewal - Once certificate renewed from RootCA (using new Key Pair) and installed on Intermediate CA --

New Cert/Cross Sign Certs

  • Will this create cross-sign certificates(0-1, 1-0) as well in addition to the new cert under CertSrv >> CertEnroll folder ?
    • if yes then do we need to publish the new Cert and these cross-sign certificate as well using "certutil -f -dspublish".
    • or only copying the new Cert file to AIA/CDP will work --- how to deal with this cross-sign certificates .. are they also need to be copied to AIA/CDP publish locations


  • For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.
  • Coping the new CRL to AIA/CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work
Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,975 questions
0 comments No comments
{count} votes