I have a question regarding IntermediateCA certificate renewal
This is 3 tier PKI hierarchy -- Root(offline) -> Intermediate (offline) CA -> Issuing (online) CAs
Once certificate issued from RootCA (using new Key Pair) and installed/issued on Intermediate CA --
New CeRT/CrOSS CeRT
Will this create cross-sign certificates(0-1, 1-0) for SubCA, in addition to the new cert on IntermediateCA under CertSrv >> CertEnroll folder ?
if yes then do we need to publish ""certutil -f -dspublish" the new Cert and cross-sign certificate on Domain Controllers considering the Intermediate CA is offline.
or only copying the new Cert file to AIA will work --- how to deal with this cross-sign certificates .. are they also need to be copied to AIA publish locations
For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to CDP publish location is required only.
Coping the new CRL to CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work