This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 24%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hi,
We have some clients that run with Windows CE6 and connect to a radius server through the wifi. They have a root CA certificate that needs to be renewed. A new root certificate will be created with the same key and will be rolled out to the clients. Do we need to remove the old CA certificate from the clients, and only keep the new one? or we can keep both the old and new root ca certificate and Windows CE6 will use the new CA certificate, when the old one expires?
I would strongly recommend to not reuse the keys. For CA you should always generate new key pair when renewing. Otherwise you may experience side effects.
You can have multiple CA certificates. My recommendation is to keep old and new CA certs to support certs signed by both CAs. Once old CA certificate expires it is safe to remove.
Thanks for your answer. Which side effects we may experience, if we keep the same keys? We are only interested in extending the validity of the CA root certificate, so the clients can still authenticate to the radius server, after the validity of the old CA certificate expires.
We will renew the CA root certificate as described in this thread, using the same keys.
tasks-after-renewing-ca-certificate.html++
Can we keep the old certificate, after it expires and don't remove it?
Which side effects we may experience, if we keep the same keys?
when client picks expired root CA certificate although there is a newer one and fail validation. Client builds multiple chains during validation and then selects only one from a list of chains. Microsoft had issues with chain selection algorithm. This selection doesn't happen when you generate new key pair, because only one chain will be built.
We will renew the CA root certificate as described in this thread, using the same keys.
I still would not recommend this. Check this article for deeper details: https://www.sysadmins.lv/blog-en/root-ca-certificate-renewal.aspx
Hello Techzner,
Normally only one valid certificate with same key will be accepted, so there is no need to delete the old one. However, we are talking about Windows CE 6.0 mainstream support ended in 2013 and completely out of support since 2018, so I can't guarantee that it will behave like modern systems.
Just to avoid surprises I would delete the old certificate.
--If the reply is helpful, please Upvote and Accept as answer--