This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 43%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
client have old ent ca cert(not expire yet), new ent ca cert (the latest)
so, when win 10 check the previous issued cert which issued by old ent ca cert, does it know to chain up with old ent ca cert by SKID? rather then always choose latest CA cert?
if renew with new key, then have old and new CA cert? how to chain up the previous issued cert? which one is the priority ? by SKID-AKID? latest CA cert?
by skid-akid will find the right one, by latest will wrong, but not always find the latest one?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Hi,
Based on my research, there will be some difference when renew CA cert with the new key pair and existing key pair.
When you renew CA certificate with existing key pair, nothing important in certificate is changed. The certificate will contain the same public and private key. As the result all previously issued certificates will chain up to new CA cert without any changes.
When you renew CA certificate with new key pair, previously issued certs by old CA cert will chain up to previous CA cert and newly issued certs will chain up to new CA cert respectively.
For more information, you can refer to the following link: https://www.sysadmins.lv/blog-en/root-ca-certificate-renewal.aspx
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,
does client know to chain up previous issued cert with previous ent CA cert, but not latest CA cert?
why client would want this? I already explained you the difference between renewal types here.
so, when win 10 check the previous issued cert which issued by old ent ca cert, does it know to chain up with old ent ca cert by SKID? rather then always choose latest CA cert?
why? It makes zero sense.
Hi Crypt32
thank you for the explain, but i still be confused about some details, let me conclude all mentions from you and FanFan
at the link
if-ent-ca-renew-with-new-key-does-client-can-chain.html
and this link
1 if renew with same key, since SKID no change, it will always work (FanFan part) until previous CA cert expire, Windows will select either one even expired ca cert, the problem will happen(Crypt32 part)
previously issued certificates will chain up to new CA cert without any changes. ) ,then windows may choose the latest CA cert because it has "version"
if renew with new key
1 previous cert will end as previous CA date, it is perfect(Crypt32 part)
2 previous cert can only chain up with previous CA, new cert can only chain up with new CA( FanFan's link), there are extra "CrossCA" cert must be deployed
Cross-certificates are used only for root CA renewals, they are not used for any intermediate CA renewal.
Hi,,
Would you please tell what did you want to do with your ROOT CA?
Build a new CA server or just renew the CA cert?
Best Regard,