if ent CA renew with new key, does client know to chain up previous issued cert with previous ent CA cert, but not latest CA cert?

Ming Cheung 421 Reputation points
2021-05-14T03:36:31.343+00:00

client have old ent ca cert(not expire yet), new ent ca cert (the latest)
so, when win 10 check the previous issued cert which issued by old ent ca cert, does it know to chain up with old ent ca cert by SKID? rather then always choose latest CA cert?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,703 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,687 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,276 Reputation points Microsoft Vendor
    2021-05-14T04:52:10.593+00:00

    Hi,
    Based on my research, there will be some difference when renew CA cert with the new key pair and existing key pair.

    When you renew CA certificate with existing key pair, nothing important in certificate is changed. The certificate will contain the same public and private key. As the result all previously issued certificates will chain up to new CA cert without any changes.

    When you renew CA certificate with new key pair, previously issued certs by old CA cert will chain up to previous CA cert and newly issued certs will chain up to new CA cert respectively.
    For more information, you can refer to the following link: https://www.sysadmins.lv/blog-en/root-ca-certificate-renewal.aspx
    This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

    Best Regards,

    0 comments No comments

  2. Vadims Podāns 8,856 Reputation points MVP
    2021-05-14T06:12:48.683+00:00

    does client know to chain up previous issued cert with previous ent CA cert, but not latest CA cert?

    why client would want this? I already explained you the difference between renewal types here.

    so, when win 10 check the previous issued cert which issued by old ent ca cert, does it know to chain up with old ent ca cert by SKID? rather then always choose latest CA cert?

    why? It makes zero sense.