Changing CDP/AIA locations of root CA

Bojan Zivkovic 441 Reputation points
2021-06-07T19:35:48.917+00:00

Hi, I have 2-tier PKI in test environment - one of CDP/AIA locations (file locations) of root CA is wrong so I need to modify it. Does it mean I definitely have to issue new certificate to subordinate issuing CA containing updated extensions and if so what else I need to do? What will be with certificates already issued by subordinate CA?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,402 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Fan Fan 15,326 Reputation points Microsoft Vendor
    2021-06-08T01:44:27.083+00:00

    Hi,
    Based on my understanding, we need to renew the subordinate issuing CA certificate containing updated extensions since the old issue CA certificate contains the old value for the CDP/AIA locations of root CA.

    But the CDP/AIA locations of issue CA didn't change, so the certificates already issued by subordinate CA don't have to be renewed.
    After Changing CDP/AIA locations of root CA, renew the certificates for the issue CA, watch closely for a period.

    Best Regards,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.