Does the old CA certificate needs to be deleted from the client, when renewed with the same key

Techzner 1 Reputation point

We have some clients that run with Windows CE6 and connect to a radius server through the wifi. They have a root CA certificate that needs to be renewed. A new root certificate will be created with the same key and will be rolled out to the clients. Do we need to remove the old CA certificate from the clients, and only keep the new one? or we can keep both the old and new root ca certificate and Windows CE6 will use the new CA certificate, when the old one expires?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,711 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Vadims Podāns 8,866 Reputation points MVP

    I would strongly recommend to not reuse the keys. For CA you should always generate new key pair when renewing. Otherwise you may experience side effects.

    You can have multiple CA certificates. My recommendation is to keep old and new CA certs to support certs signed by both CAs. Once old CA certificate expires it is safe to remove.

    0 comments No comments

  2. Techzner 1 Reputation point

    Thanks for your answer. Which side effects we may experience, if we keep the same keys? We are only interested in extending the validity of the CA root certificate, so the clients can still authenticate to the radius server, after the validity of the old CA certificate expires.
    We will renew the CA root certificate as described in this thread, using the same keys.
    Can we keep the old certificate, after it expires and don't remove it?

  3. Limitless Technology 39,331 Reputation points

    Hello Techzner,

    Normally only one valid certificate with same key will be accepted, so there is no need to delete the old one. However, we are talking about Windows CE 6.0 mainstream support ended in 2013 and completely out of support since 2018, so I can't guarantee that it will behave like modern systems.

    Just to avoid surprises I would delete the old certificate.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments