In 3 tier PKI hierarchy to renew IntCA cert
New CeRT/CrOSS CeRT
Will this create cross-sign certificates(0-1, 1-0) for SubCA, in addition to the new cert on IntermediateCA under CertSrv >> CertEnroll folder ?
if yes then do this need to publish ""certutil -f -dspublish" the new Cert and cross-sign certificate.
New CRL
For new CRL, do this need to be published
Coping the new CRL to CDP will replace the old CRL ? as the existing certificate is still referring to the old CRL file ...
yes, they should be copied if not presented already.IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)
you must not rename CRL. CA will automatically put proper name in CRL file name.what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the containor now ..?
CA maintain CRLs for every its signing key pair even if they are expired.I don't understand why other 2 old CRLs keep updating
Hello @Thinker-3087,
Thank you for posting here.
New CeRT/CrOSS CeRT
This will create cross-sign certificates on IntermediateCA under CertSrv >> CertEnroll folder.
You can copy or publish the renewed IntermediateCA certs based on the AIA locations.
For example:
If you configured LDAP location, you will need to publish the renewed IntermediateCA certs to the domain.
If you configured Http location, you will need to copy the renewed IntermediateCA certs to the http location.
New CRL
For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to CDP publish location is required only.
A: Based on my experience, if the CRLs related to IntermediateCA are working fine (not expired), we do not need to publish them.
Coping the new CRL to CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work
A: There is no impact.
Here is a similar case for your reference.
cross signing certificates during offline root's renewal (what do I do with them?)
https://social.technet.microsoft.com/Forums/Azure/en-US/43daee14-4356-40c8-8858-583f27acc98f/cross-signing-certificates-during-offline-roots-renewal-what-do-i-do-with-them?forum=winserversecurity
Should you have any question or concern, please feel free to let us know.
Tip: Before making and change to CA environment, please check CA health first.
Best Regards,
Daisy Zhou
Will this create cross-sign certificates(0-1, 1-0) for SubCA
no, it won't. Cross-certificates are created only during Root CA renewal with new key pair. For intermediate CA certificates cross-certificates are not generated. You only need to copy new CA certificate to AIA location.
For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.
CA will automatically publish new CRL when needed and copy it to CDP locations.
Coping the new CRL to AIA/CDP will replace the old CRL
It shouldn't. A new separate CRL is generated instead. Eventually, you get two separate CRLs for each CA signing key.
as the existing certificate is still referring to the old CRL file ... how this going to work
yes, that's how things work. Old certificates will refer to CRL signed using old CA key and new certificates will refer to new CRL signed using new CA key.
Thanks guys - so just to confirm ... cross-sign certificates will not generate for InTCA .. right ??
Renew Certificate from RootCA - Once installed it on IntCA, it will create 2 new files (IntCA(1).CRT & IntCA(1).CRL) under CertSrv >> CertEnroll folder
IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)
On CDP location, there will be now 2 CRL files (IntCA.CRL & IntCA1.CRL) - how CA extentsion select or refer to the correct file as there are now 2 CRLs in CDP Container <CaName><CRLNameSuffix>.CRL -- what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the container now ..?
I found there are now 3 (IssCA, IssCA1, IssCA2) CRLs files and all of them update/publish every week ... Is this expected as 2 old CRLs keep updating .. in CERTENrol folder and CDP Shared folder ..?
(there is shared location for ldap/http - should copying the files there ..will work ??? as CRL coping to this shared location update CDP location
Thanks Crypt32 & DaisyZhou
There is one AD shared location for all CDP (LDAP/HTTP) - offline/online CAs.
When certificate will renew it then create new CRL(IntCA1.CRL) for new RSA Pair -- so
Paste IntCA1.CRL to AD Location and rename/remove the existing "IntCA.CRL" -
or
Paste IntCA1.CRL to AD Location only and keep IntCA.CRL as well as it is not expired yet and old certs still refer to this CRL -
or
or leave it for now and replace the IntCA1.CRL with IntCA.CRL to AD location; when its about to expire.
Copy BOTH CLRs and do nothing with their names.When certificate renewed it will now create new CRL(IntCA1.CRL) for new RSA Pair -- so when we now copy this (IntCA1.CRL) to AD Location - so should we follow the same
Once IntCA certificate renewed - Until its been copied to AIA (http, LDAP) -- will IssCA still refer to the old IntCA certificate to build chain of trust.
Intermediate new Certificate need to be pushed to 3rd party devices as well??
yes, it will. If you want Issuing CA to use new intermediate CA certificate, you have to renew issuing CA certificate.will IssuingCA still refer to the old Intermediate certificate to build chain of trust.
not really necessary. Clients may reach new intermediate CA using Authority Information Access extension.Intermediate new Certificate need to be pushed to 3rd party devices as well??
Thanks crypt32 for your prompt response
"If you want Issuing CA to use new intermediate CA certificate, you have to renew issuing CA certificate".
- so in that case no need to copy Intermediate new CRL to CDP until we renew Issuing CA certificate as - New CRL will contain only those revoked certificates that were signed using renewed CA cert -- right or even coping the new CRL to CDP has no impact as it won't be used until Issuing CA certificate renewed and it build up the chain with new Intermediate certificate ..
8 people are following this question.
