Question about Issuing CA Cert Renewal and manually requested Certs

Question

Question about Issuing CA Cert Renewal and manually requested Certs

IT Guy 101

Hi,

I want to renew our Issuing CA's Certificate 5 year lifecycle one.

the question i have is if i renew the Issuing CA Certificate with the existing key,
will the existing issued certificates that where requested by admins using the CA Certsrv link get the new Date or will they expire on the date of what was on the old CA certificate before renewal?

basically just want to know what will happen to the old issued certs, since they where manually requested and not AD Enrolled.
so i can get the team to update them if needed when i renew the Issuing CA's Certificate.

I am hoping that they will see the New Issuing's cert and then will chain up to new CA cert without any changes required or needing to re-request new certificates for the systems.

Accepted answer

1 additional answer

Your answer

Answer 1

Anonymous

Hi,
Based on my understanding, if the Issuing CA Cert was Renewal with the existing key, new CA cert ValidFrom (NotBefore) field will contain the value when existing CA key pair was generated. All previously issued certificates will chain up to new CA cert without any changes.
But validate period of the certs issued by CA before will not change.

We don't need to request a cert but need to renew them before expired.
You will need to renew them manually or configure them to renew automatically through GPO.
https://www.sysadmins.lv/blog-en/root-ca-certificate-renewal.aspx
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

Best Regards,

Anonymous

2021-06-21T06:27:44.697+00:00

Hi,

Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,
ErazerMe 46 Reputation points

2021-06-22T13:37:41.127+00:00

During the renew-process of the root-certificate, will the old root-certificate be revoked or is it still valid?
I think the main question is: what will happen with (client-) certificates, which were requested with urgent root-certificate? Is the certificate chain still valid or do we have to replace all certificates with the new root-certificate-chain?

Answer 2

Anonymous

Hi,
If the Issuing CA Cert was Renewal with the existing key, new CA cert ValidFrom (NotBefore) field will contain the value when existing CA key pair was generated.
For example, my ca cert : valid from 5/15/2020 to 3/5/2031

After i renew the cert with the existing key ,the new CA cert Valid From 5/15/2020 to 6/23/2031

All previously issued certificates and new certs will chain up to new CA cert.
We just replace old CRT file in AIA download locations.

More detail about Renewal with existing key pair
https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx

Anonymous

2021-06-28T06:29:35.22+00:00

Hi，
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

Share via

Question about Issuing CA Cert Renewal and manually requested Certs

1 additional answer

Your answer