question

Thinker-3087 avatar image
0 Votes"
Thinker-3087 asked ·

Renewing Intermediate CA certificate - PKI


I have a question regarding IntermediateCA certificate renewal

This is 3 tier PKI hierarchy -- Root(offline) -> Intermediate (offline) CA -> Issuing (online) CAs

Once certificate issued from RootCA (using new Key Pair) and installed/issued on Intermediate CA --


New CeRT/CrOSS CeRT

Will this create cross-sign certificates(0-1, 1-0) for SubCA, in addition to the new cert on IntermediateCA under CertSrv >> CertEnroll folder ?

  • if yes then do we need to publish ""certutil -f -dspublish" the new Cert and cross-sign certificate on Domain Controllers considering the Intermediate CA is offline.

or only copying the new Cert file to AIA will work --- how to deal with this cross-sign certificates .. are they also need to be copied to AIA publish locations


New CRL

For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to CDP publish location is required only.

Coping the new CRL to CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work

windows-server-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered ·

IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)

yes, they should be copied if not presented already.

what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the containor now ..?

you must not rename CRL. CA will automatically put proper name in CRL file name.

I don't understand why other 2 old CRLs keep updating

CA maintain CRLs for every its signing key pair even if they are expired.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered ·

Hello @Thinker-3087,

Thank you for posting here.

New CeRT/CrOSS CeRT

This will create cross-sign certificates on IntermediateCA under CertSrv >> CertEnroll folder.

You can copy or publish the renewed IntermediateCA certs based on the AIA locations.

For example:

If you configured LDAP location, you will need to publish the renewed IntermediateCA certs to the domain.
If you configured Http location, you will need to copy the renewed IntermediateCA certs to the http location.


New CRL

For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to CDP publish location is required only.
A: Based on my experience, if the CRLs related to IntermediateCA are working fine (not expired), we do not need to publish them.


Coping the new CRL to CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work
A: There is no impact.

Here is a similar case for your reference.
cross signing certificates during offline root's renewal (what do I do with them?)
https://social.technet.microsoft.com/Forums/Azure/en-US/43daee14-4356-40c8-8858-583f27acc98f/cross-signing-certificates-during-offline-roots-renewal-what-do-i-do-with-them?forum=winserversecurity


Should you have any question or concern, please feel free to let us know.


Tip: Before making and change to CA environment, please check CA health first.



Best Regards,
Daisy Zhou

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered ·

Will this create cross-sign certificates(0-1, 1-0) for SubCA

no, it won't. Cross-certificates are created only during Root CA renewal with new key pair. For intermediate CA certificates cross-certificates are not generated. You only need to copy new CA certificate to AIA location.

For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.

CA will automatically publish new CRL when needed and copy it to CDP locations.

Coping the new CRL to AIA/CDP will replace the old CRL

It shouldn't. A new separate CRL is generated instead. Eventually, you get two separate CRLs for each CA signing key.

as the existing certificate is still referring to the old CRL file ... how this going to work

yes, that's how things work. Old certificates will refer to CRL signed using old CA key and new certificates will refer to new CRL signed using new CA key.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thinker-3087 avatar image
0 Votes"
Thinker-3087 answered ·

Thanks guys - so just to confirm ... cross-sign certificates will not generate for Intermediate .. right ??

So the summary for Intermediate (offline) would be then

Renew Certificate from RootCA - Once installed it on Intermediate, it will create 2 new files (IntCA(1).CRT & IntCA(1).CRL) under CertSrv >> CertEnroll folder

IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)



On CDP location, there will be now 2 CRL files (IntCA.CRL & IntCA1.CRL) - Just want to understand this .. how CA extentsion select or refer to the correct file as there are now 2 CRLs in CDP Container <CaName><CRLNameSuffix>.CRL -- what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the containor now ..?

For IssuingCAs, as they are online so no manual copying is required for their CRLs to CDP location - Since they have been renewed twice already.

I found there are now 3 (IssCA, IssCA1, IssCA2) CRLs files and all of them update/publish every week ... I don't understand why other 2 old CRLs keep updating .. is it because they are still in CERTENrol folder and CDP Shared folder ..?


(there is shared location for ldap/http - should copying the files there ..will work ??? as CRL coping to this shared location update CDP location - we are doing this every 6 months when CRL published we simply copy this to shared AD location and restart IssCAs services)

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thinker-3087 avatar image
0 Votes"
Thinker-3087 answered ·

Thanks Crypt32 & DaisyZhou - Another doubt about coping the IntermediateCA CRL to AD Shared Location (accessible by CDP)


There is one AD shared location for all CDP (LDAP/HTTP) - offline/online CAs. ATM we are manually coping the CRL "IntCA.CRL" every six months to AD location and rename/remove the existing IntCA.CRL file (as it expires in few hours).

When certificate renewed it will now create new CRL(IntCA1.CRL) for new RSA Pair -- so when we now copy this (IntCA1.CRL) to AD Location - so should we follow the same

  • Paste IntCA1.CRL to AD Location and rename/remove the existing "IntCA.CRL" -

or

  • Paste IntCA1.CRL to AD Location only and keep IntCA.CRL as well as it is not expired yet and old certs still refer to this CRL -

or

  • or leave it for now and replace the IntCA1.CRL with IntCA.CRL to AD location; when its about to expire.

As AD Location now have 2 CRL files and may create issue for CDP "HTTP" link as it always refer to one file only - Moreover, it may still required to be there in AD location as old certs are still it - or CA pick up the new key pair CRL file "IntCA1.CRL" because of suffix value and ignore the existing CRL in AD Location ??


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

When certificate renewed it will now create new CRL(IntCA1.CRL) for new RSA Pair -- so when we now copy this (IntCA1.CRL) to AD Location - so should we follow the same

Copy BOTH CLRs and do nothing with their names.
2 Votes 2 ·
Thinker-3087 avatar image
0 Votes"
Thinker-3087 answered ·

While renewing Intermediate (offline) CA certificate, will there be any impact to XenMobile Server, Citrix obtaining the new certificates from Issuing CA.. ?

Once certificate renewed on Intermediate CA - Until its been copied to AIA (http, LDAP) -- will IssuingCA still refer to the old Intermediate certificate to build chain of trust.

  • If any new certificate request come to Issuing CA during Intermediate CA certificate renewal -- will it issue the new certificate or reject the request?

  • Intermediate new Certificate need to be pushed to 3rd party devices as well??


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

will IssuingCA still refer to the old Intermediate certificate to build chain of trust.

yes, it will. If you want Issuing CA to use new intermediate CA certificate, you have to renew issuing CA certificate.

Intermediate new Certificate need to be pushed to 3rd party devices as well??

not really necessary. Clients may reach new intermediate CA using Authority Information Access extension.


0 Votes 0 ·

Thanks crypt32 for your prompt response

"If you want Issuing CA to use new intermediate CA certificate, you have to renew issuing CA certificate".

 - so in that case no need to copy Intermediate new CRL to CDP until we renew Issuing  CA certificate as  - New CRL will contain only those revoked certificates that were signed using renewed CA cert -- right  or even coping the new CRL to CDP has no impact as it won't be used until Issuing CA certificate renewed and it build up the chain with new Intermediate certificate .. 
0 Votes 0 ·