This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 1%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
In 3 tier PKI hierarchy to renew IntCA cert
New CeRT/CrOSS CeRT
Will this create cross-sign certificates(0-1, 1-0) for SubCA, in addition to the new cert on IntermediateCA under CertSrv >> CertEnroll folder ?
New CRL
For new CRL, do this need to be published
Coping the new CRL to CDP will replace the old CRL ? as the existing certificate is still referring to the old CRL file ...
IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)
yes, they should be copied if not presented already.
what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the containor now ..?
you must not rename CRL. CA will automatically put proper name in CRL file name.
I don't understand why other 2 old CRLs keep updating
CA maintain CRLs for every its signing key pair even if they are expired.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Thinker-3087,
Thank you for posting here.
New CeRT/CrOSS CeRT
This will create cross-sign certificates on IntermediateCA under CertSrv >> CertEnroll folder.
You can copy or publish the renewed IntermediateCA certs based on the AIA locations.
For example:
If you configured LDAP location, you will need to publish the renewed IntermediateCA certs to the domain.
If you configured Http location, you will need to copy the renewed IntermediateCA certs to the http location.
New CRL
For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to CDP publish location is required only.
A: Based on my experience, if the CRLs related to IntermediateCA are working fine (not expired), we do not need to publish them.
Coping the new CRL to CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work
A: There is no impact.
Here is a similar case for your reference.
cross signing certificates during offline root's renewal (what do I do with them?)
https://social.technet.microsoft.com/Forums/Azure/en-US/43daee14-4356-40c8-8858-583f27acc98f/cross-signing-certificates-during-offline-roots-renewal-what-do-i-do-with-them?forum=winserversecurity
Should you have any question or concern, please feel free to let us know.
Tip: Before making and change to CA environment, please check CA health first.
Best Regards,
Daisy Zhou
Will this create cross-sign certificates(0-1, 1-0) for SubCA
no, it won't. Cross-certificates are created only during Root CA renewal with new key pair. For intermediate CA certificates cross-certificates are not generated. You only need to copy new CA certificate to AIA location.
For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.
CA will automatically publish new CRL when needed and copy it to CDP locations.
Coping the new CRL to AIA/CDP will replace the old CRL
It shouldn't. A new separate CRL is generated instead. Eventually, you get two separate CRLs for each CA signing key.
as the existing certificate is still referring to the old CRL file ... how this going to work
yes, that's how things work. Old certificates will refer to CRL signed using old CA key and new certificates will refer to new CRL signed using new CA key.
Thanks guys - so just to confirm ... cross-sign certificates will not generate for InTCA .. right ??
Renew Certificate from RootCA - Once installed it on IntCA, it will create 2 new files (IntCA(1).CRT & IntCA(1).CRL) under CertSrv >> CertEnroll folder
IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)
On CDP location, there will be now 2 CRL files (IntCA.CRL & IntCA1.CRL) - how CA extentsion select or refer to the correct file as there are now 2 CRLs in CDP Container <CaName><CRLNameSuffix>.CRL -- what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the container now ..?
I found there are now 3 (IssCA, IssCA1, IssCA2) CRLs files and all of them update/publish every week ... Is this expected as 2 old CRLs keep updating .. in CERTENrol folder and CDP Shared folder ..?
(there is shared location for ldap/http - should copying the files there ..will work ??? as CRL coping to this shared location update CDP location
Thanks Crypt32 & DaisyZhou
There is one AD shared location for all CDP (LDAP/HTTP) - offline/online CAs.
When certificate will renew it then create new CRL(IntCA1.CRL) for new RSA Pair -- so
or
or
When certificate renewed it will now create new CRL(IntCA1.CRL) for new RSA Pair -- so when we now copy this (IntCA1.CRL) to AD Location - so should we follow the same
Copy BOTH CLRs and do nothing with their names.