PolicyCA Certificate Chain

IronMerc 1 Reputation point
2021-04-08T06:42:58.24+00:00

if PolicyCA certificate renewed successfully and subordinate CA certificate still not yet renewed.. Will the issued certificate from IssCA will chain up to the new PolicyCA or that server/client certificate will show the old Policy in chain.

Until SubCA certificate renewed how the issued client/server certificate will chain up to new PolicyCA

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,171 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,729 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 9,036 Reputation points MVP
    2021-04-08T08:09:03.057+00:00

    You have to renew issuing CA certificate assuming that you renewed your policy CA with new key pair. If you renewed policy CA using existing key pair, then you will get very inconsistent results. Some clients will switch to new policy CA certificate only when previous one will expire, others will never switch to new policy CA certificate. To get consistent and predictable results you must renew CAs only with new key pair. Always.

    0 comments
  2. IronMerc 1 Reputation point
    2021-04-08T08:51:41.28+00:00

    Thanks Crypt32 - Yes the PolicyCA cert will be renewed with new key pair - As there is a plan to renew the issCA certficate after few days so there is a concern that if in this interim period the (server/client) certificate issued by IssCA shows new PolicyCA in chain or the old one (which is still valid though) -- And do PolicyCA new cert need to be imported to non-adjoined servers soon after to avoid any service interruption or outage.

  3. IronMerc 1 Reputation point
    2021-04-15T19:52:57.667+00:00
    • Renewed cert via GUI with new key pair
    • Copied the following files to AD FS location (for CDP/AIA)

      CertEnroll\IntCA(1).crt

      CertEnroll\IntCA(1).crl

    • Published IntCA to AD FS

      certutil -dspublish -f " - " SubCA

    -pkiview still showing the old Certificate

    What else is required here ?

    0 comments
  4. Vadims Podāns 9,036 Reputation points MVP
    2021-04-15T19:59:40.303+00:00

    Find and revoke the most recent CA Exchange certificate and re-run PKIView.msc.

    0 comments
  5. IronMerc 1 Reputation point
    2021-04-16T04:37:28.303+00:00

    Found and revoked CA Exchange Cert -- still the result is same

    "CA Certificate", "AIA Location" and "CDP location" all three still not updating in PKIVIEW

    Certificate issued from IssCA shows the old IntCA in chain -- this is expected right until IssCA get renewed ?

    Have done all below -- any thing missed ? -- Also as IntCA is not showing up in new issued certificate so atm -- Anyother way to confirm if IntCA is added perfectly to CA and once IssCA renewed the new cert will be chain up to new IntermediateCA

    Renewed cert via GUI with new key pair

    Copied the following files to AD FS location (for CDP/AIA)

    CertEnroll\IntCA(1).crt
    CertEnroll\IntCA(1).crl

    Published IntCA to AD FS

    certutil -dspublish -f " - " SubCA

    0 comments