You have to renew issuing CA certificate assuming that you renewed your policy CA with new key pair. If you renewed policy CA using existing key pair, then you will get very inconsistent results. Some clients will switch to new policy CA certificate only when previous one will expire, others will never switch to new policy CA certificate. To get consistent and predictable results you must renew CAs only with new key pair. Always.
PolicyCA Certificate Chain
if PolicyCA certificate renewed successfully and subordinate CA certificate still not yet renewed.. Will the issued certificate from IssCA will chain up to the new PolicyCA or that server/client certificate will show the old Policy in chain.
Until SubCA certificate renewed how the issued client/server certificate will chain up to new PolicyCA
5 answers
Sort by: Most helpful
-
-
IronMerc 1 Reputation point
2021-04-08T08:51:41.28+00:00 Thanks Crypt32 - Yes the PolicyCA cert will be renewed with new key pair - As there is a plan to renew the issCA certficate after few days so there is a concern that if in this interim period the (server/client) certificate issued by IssCA shows new PolicyCA in chain or the old one (which is still valid though) -- And do PolicyCA new cert need to be imported to non-adjoined servers soon after to avoid any service interruption or outage.
-
IronMerc 1 Reputation point
2021-04-15T19:52:57.667+00:00 - Renewed cert via GUI with new key pair
- Copied the following files to AD FS location (for CDP/AIA)
CertEnroll\IntCA(1).crt
CertEnroll\IntCA(1).crl
- Published IntCA to AD FS
certutil -dspublish -f " - " SubCA
-pkiview still showing the old Certificate
What else is required here ?
-
Vadims Podāns 9,036 Reputation points MVP
2021-04-15T19:59:40.303+00:00 Find and revoke the most recent CA Exchange certificate and re-run PKIView.msc.
-
IronMerc 1 Reputation point
2021-04-16T04:37:28.303+00:00 Found and revoked CA Exchange Cert -- still the result is same
"CA Certificate", "AIA Location" and "CDP location" all three still not updating in PKIVIEW
Certificate issued from IssCA shows the old IntCA in chain -- this is expected right until IssCA get renewed ?
Have done all below -- any thing missed ? -- Also as IntCA is not showing up in new issued certificate so atm -- Anyother way to confirm if IntCA is added perfectly to CA and once IssCA renewed the new cert will be chain up to new IntermediateCA
Renewed cert via GUI with new key pair
Copied the following files to AD FS location (for CDP/AIA)
CertEnroll\IntCA(1).crt
CertEnroll\IntCA(1).crlPublished IntCA to AD FS
certutil -dspublish -f " - " SubCA