Replacing CA without revoking certs to retain the trust of issued certs

Question

question

$$ANON_USER$$ asked Dec 2, '20 $$ANON_USER$$ commented Dec 4, '20

Replacing CA without revoking certs to retain the trust of issued certs

I'm planning to decommission a current Enterprise root CA (single tier) from my lab and add a new Enterprise Root CA (also a single tier).
If I was to decommission the existing CA but without revoking the issued certs, would the machines on the domain still trust the issued certs that were issued from that CA? It's a lab env't so I'm not too concerned about security.

TIA

windows-server-security

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2020-12-02T07:54:57.197Z

Crypt32 answered Dec 2, '20

If I was to decommission the existing CA but without revoking the issued certs, would the machines on the domain still trust the issued certs that were issued from that CA?

they will if you issue a long-valid CRL. Ideally, CRL validity should match or be greater than CA certificate expiration time. In this case, clients will be ok in using their CA even if it is already decommissioned.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2020-12-03T01:10:13.277Z

$$ANON_USER$$ answered Dec 3, '20 $$ANON_USER$$ commented Dec 4, '20

Thanks, the CRL checking is disabled so it should be all good then.

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 · Dec 03, 2020 at 08:37 AM

No, you shall not disable CRL checking. It is a wrong solution.

0 ·

$$ANON_USER$$ Crypt32 · Dec 04, 2020 at 12:47 AM

yep, this is a lab env't for testing certain functionalities.

0 ·

question