This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 1%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
In 3 tier PKI hierarchy to renew IntCA cert
New CeRT/CrOSS CeRT
Will this create cross-sign certificates(0-1, 1-0) for SubCA, in addition to the new cert on IntermediateCA under CertSrv >> CertEnroll folder ?
New CRL
For new CRL, do this need to be published
Coping the new CRL to CDP will replace the old CRL ? as the existing certificate is still referring to the old CRL file ...
IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)
yes, they should be copied if not presented already.
what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the containor now ..?
you must not rename CRL. CA will automatically put proper name in CRL file name.
I don't understand why other 2 old CRLs keep updating
CA maintain CRLs for every its signing key pair even if they are expired.
Once IntCA certificate renewed - Until its been copied to AIA (http, LDAP) -- will IssCA still refer to the old IntCA certificate to build chain of trust.
will IssuingCA still refer to the old Intermediate certificate to build chain of trust.
yes, it will. If you want Issuing CA to use new intermediate CA certificate, you have to renew issuing CA certificate.
Intermediate new Certificate need to be pushed to 3rd party devices as well??
not really necessary. Clients may reach new intermediate CA using Authority Information Access extension.
Thanks crypt32 for your prompt response
"If you want Issuing CA to use new intermediate CA certificate, you have to renew issuing CA certificate".
- so in that case no need to copy Intermediate new CRL to CDP until we renew Issuing CA certificate as - New CRL will contain only those revoked certificates that were signed using renewed CA cert -- right or even coping the new CRL to CDP has no impact as it won't be used until Issuing CA certificate renewed and it build up the chain with new Intermediate certificate ..
Thanks Crypt32 & DaisyZhou
There is one AD shared location for all CDP (LDAP/HTTP) - offline/online CAs.
When certificate will renew it then create new CRL(IntCA1.CRL) for new RSA Pair -- so
or
or
When certificate renewed it will now create new CRL(IntCA1.CRL) for new RSA Pair -- so when we now copy this (IntCA1.CRL) to AD Location - so should we follow the same
Copy BOTH CLRs and do nothing with their names.
Thanks guys - so just to confirm ... cross-sign certificates will not generate for InTCA .. right ??
Renew Certificate from RootCA - Once installed it on IntCA, it will create 2 new files (IntCA(1).CRT & IntCA(1).CRL) under CertSrv >> CertEnroll folder
IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)
On CDP location, there will be now 2 CRL files (IntCA.CRL & IntCA1.CRL) - how CA extentsion select or refer to the correct file as there are now 2 CRLs in CDP Container <CaName><CRLNameSuffix>.CRL -- what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the container now ..?
I found there are now 3 (IssCA, IssCA1, IssCA2) CRLs files and all of them update/publish every week ... Is this expected as 2 old CRLs keep updating .. in CERTENrol folder and CDP Shared folder ..?
(there is shared location for ldap/http - should copying the files there ..will work ??? as CRL coping to this shared location update CDP location
Will this create cross-sign certificates(0-1, 1-0) for SubCA
no, it won't. Cross-certificates are created only during Root CA renewal with new key pair. For intermediate CA certificates cross-certificates are not generated. You only need to copy new CA certificate to AIA location.
For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.
CA will automatically publish new CRL when needed and copy it to CDP locations.
Coping the new CRL to AIA/CDP will replace the old CRL
It shouldn't. A new separate CRL is generated instead. Eventually, you get two separate CRLs for each CA signing key.
as the existing certificate is still referring to the old CRL file ... how this going to work
yes, that's how things work. Old certificates will refer to CRL signed using old CA key and new certificates will refer to new CRL signed using new CA key.