if ent CA renew with new key, does client can chain up previous issued cert with new ent CA cert?

Ming Cheung 421 Reputation points
2021-05-13T09:38:48.387+00:00

I checked that saying existing cert will has no impact until its expire, but I need more information about the details,
and I wish to know the mechanism,

  1. does client can chain up previous issued cert with new ent CA cert? if chain by AKID to SKID, but the new renewed CA public key changed , that can not verify signature anymore.
  2. that means previous issued cert will not valid if previous Ent CA cert expired, because it can not chain up with new Ent CA cert
    thank you
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,765 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions
0 comments
Accepted answer
  1. Vadims Podāns 9,111 Reputation points MVP
    2021-05-13T19:15:32.19+00:00

    does client can chain up previous issued cert with new ent CA cert?

    no, it can't. When you renew CA with new key pair, only one chain is possible.

    that means previous issued cert will not valid if previous Ent CA cert expired, because it can not chain up with new Ent CA cert

    that's correct. But since CA NEVER issue certificate with validity that is outside of its own (CA) certificate validity, then it is granted that any certificate signed by expired CA certificate are naturally expired. It can be extrapolated to a rule: any certificate in chain will naturally expire before expires its issuer. Intermediate CA, for example, will be naturally expired before expires root CA. And this rule applies to any element in chain regardless of its length.

    And this not always is the case when CA renewed using existing key pair (reuse keys). This allows a possibility to have different chains with different weights and special algorithm must be used to select a single chain among all available. And these algorithms sometimes fail: they choose expired chains instead of valid one because of weights differences. This is why I never recommend to renew CA with existing key pair. This opens a possibility of ambiguity which is not always resolved properly. By generating new key pair you get only single chain, which is perfectly predictable and does not open ambiguity.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest