Hello @Thinker-3087,
Thank you for posting here.
New CeRT/CrOSS CeRT
This will create cross-sign certificates on IntermediateCA under CertSrv >> CertEnroll folder.
You can copy or publish the renewed IntermediateCA certs based on the AIA locations.
For example:
If you configured LDAP location, you will need to publish the renewed IntermediateCA certs to the domain.
If you configured Http location, you will need to copy the renewed IntermediateCA certs to the http location.
New CRL
For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to CDP publish location is required only.
A: Based on my experience, if the CRLs related to IntermediateCA are working fine (not expired), we do not need to publish them.
Coping the new CRL to CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work
A: There is no impact.
Here is a similar case for your reference.
cross signing certificates during offline root's renewal (what do I do with them?)
https://social.technet.microsoft.com/Forums/Azure/en-US/43daee14-4356-40c8-8858-583f27acc98f/cross-signing-certificates-during-offline-roots-renewal-what-do-i-do-with-them?forum=winserversecurity
Should you have any question or concern, please feel free to let us know.
Tip: Before making and change to CA environment, please check CA health first.
Best Regards,
Daisy Zhou