Renewing Certification Authorities

If a CA's certificate expires, the CA can no longer provide certificate services. Before the CA certificate expires, you can use the Certification Authority console to renew the CA to provide uninterrupted certificate services. The interval that is required for CA renewal depends on the certificate life cycle that you designed for the public key infrastructure.

After you renew a CA, the CA continues to issue certificates by using the new CA certificate, and the cycle starts over. The prerenewal CA certificate remains trusted, so nonexpired certificates that were issued by the prerenewal CA continue to be trusted until they expire or are revoked.

You have the option of renewing the CA certificate by using the existing key set of the prerenewal CA certificate. However, the longer a key set is in use, the greater the risk the key set might be compromised. The risks of longer key lifetimes involves many complex factors, including key length and protection from attacks. For more information about risk factors for cryptographic keys, see "Cryptography for Network and Information Security" in this book.

To use the Certification Authority console to renew a CA certificate

  1. Select the CA node, and then click Action . Then click All Tasks and Stop Service to stop the CA. If you skip this step, you are later prompted to stop the CA.

  2. Click Action , and then click All Tasks and Renew CA Certificate .
    The Renew CA Certificate dialog box appears.

  3. Click Yes to generate a new key set, or click No to reuse the old key set. Then click OK .
    For root CAs, the certificate is renewed and no further action is required. For subordinate CAs, the Complete this CA Installation dialog box appears.

  4. Type the domain name of the server for the parent CA in the Computer Name box, or click Browse to select the server.
    The ParentCA box displays the name of the CA that is running on the server computer that you have selected.

  5. Click OK .
    The renewal request is sent to the parent CA to process. When the parent CA issues the new certificate, the CA certificate of the child CA is renewed.

Root CA certificates are renewed with the same lifetime as the original certificate. Subordinate CA certificates are renewed with the lifetime that is determined by the parent CA.