question

Hello @Thinker-3087,

Thank you for posting here.

New CeRT/CrOSS CeRT

This will create cross-sign certificates on IntermediateCA under CertSrv >> CertEnroll folder.

You can copy or publish the renewed IntermediateCA certs based on the AIA locations.

For example:

If you configured LDAP location, you will need to publish the renewed IntermediateCA certs to the domain.
If you configured Http location, you will need to copy the renewed IntermediateCA certs to the http location.

New CRL

For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to CDP publish location is required only.
A: Based on my experience, if the CRLs related to IntermediateCA are working fine (not expired), we do not need to publish them.

Coping the new CRL to CDP will replace the old CRL .. so will there be any impact ? as the existing certificate is still referring to the old CRL file ... how this going to work
A: There is no impact.

Here is a similar case for your reference.
cross signing certificates during offline root's renewal (what do I do with them?)
https://social.technet.microsoft.com/Forums/Azure/en-US/43daee14-4356-40c8-8858-583f27acc98f/cross-signing-certificates-during-offline-roots-renewal-what-do-i-do-with-them?forum=winserversecurity

Should you have any question or concern, please feel free to let us know.

Tip: Before making and change to CA environment, please check CA health first.

Best Regards,
Daisy Zhou

Will this create cross-sign certificates(0-1, 1-0) for SubCA

no, it won't. Cross-certificates are created only during Root CA renewal with new key pair. For intermediate CA certificates cross-certificates are not generated. You only need to copy new CA certificate to AIA location.

For new CRL, do this need to be published as well using "certutil -f -dspublish" or just coping to AIA/CDP publish location is required only.

CA will automatically publish new CRL when needed and copy it to CDP locations.

Coping the new CRL to AIA/CDP will replace the old CRL

It shouldn't. A new separate CRL is generated instead. Eventually, you get two separate CRLs for each CA signing key.

as the existing certificate is still referring to the old CRL file ... how this going to work

yes, that's how things work. Old certificates will refer to CRL signed using old CA key and new certificates will refer to new CRL signed using new CA key.

Thanks guys - so just to confirm ... cross-sign certificates will not generate for Intermediate .. right ??

So the summary for Intermediate (offline) would be then

Renew Certificate from RootCA - Once installed it on Intermediate, it will create 2 new files (IntCA(1).CRT & IntCA(1).CRL) under CertSrv >> CertEnroll folder

IntCA(1).CRT file need to be copied to AIA location (AD share location - configured for http/ldap)
IntCA(1).CRL file need to be copied to CDP location (AD share location - configured for http/ldap)

On CDP location, there will be now 2 CRL files (IntCA.CRL & IntCA1.CRL) - Just want to understand this .. how CA extentsion select or refer to the correct file as there are now 2 CRLs in CDP Container <CaName><CRLNameSuffix>.CRL -- what if I rename the existing"IntCA.CRL_old.crl" - will this work as new CRL is in the containor now ..?

For IssuingCAs, as they are online so no manual copying is required for their CRLs to CDP location - Since they have been renewed twice already.

I found there are now 3 (IssCA, IssCA1, IssCA2) CRLs files and all of them update/publish every week ... I don't understand why other 2 old CRLs keep updating .. is it because they are still in CERTENrol folder and CDP Shared folder ..?

(there is shared location for ldap/http - should copying the files there ..will work ??? as CRL coping to this shared location update CDP location - we are doing this every 6 months when CRL published we simply copy this to shared AD location and restart IssCAs services)

Thanks Crypt32 & DaisyZhou - Another doubt about coping the IntermediateCA CRL to AD Shared Location (accessible by CDP)

There is one AD shared location for all CDP (LDAP/HTTP) - offline/online CAs. ATM we are manually coping the CRL "IntCA.CRL" every six months to AD location and rename/remove the existing IntCA.CRL file (as it expires in few hours).

When certificate renewed it will now create new CRL(IntCA1.CRL) for new RSA Pair -- so when we now copy this (IntCA1.CRL) to AD Location - so should we follow the same

• Paste IntCA1.CRL to AD Location and rename/remove the existing "IntCA.CRL" -

or

• Paste IntCA1.CRL to AD Location only and keep IntCA.CRL as well as it is not expired yet and old certs still refer to this CRL -

or

• or leave it for now and replace the IntCA1.CRL with IntCA.CRL to AD location; when its about to expire.

As AD Location now have 2 CRL files and may create issue for CDP "HTTP" link as it always refer to one file only - Moreover, it may still required to be there in AD location as old certs are still it - or CA pick up the new key pair CRL file "IntCA1.CRL" because of suffix value and ignore the existing CRL in AD Location ??

While renewing Intermediate (offline) CA certificate, will there be any impact to XenMobile Server, Citrix obtaining the new certificates from Issuing CA.. ?

Once certificate renewed on Intermediate CA - Until its been copied to AIA (http, LDAP) -- will IssuingCA still refer to the old Intermediate certificate to build chain of trust.

• If any new certificate request come to Issuing CA during Intermediate CA certificate renewal -- will it issue the new certificate or reject the request?
  

• Intermediate new Certificate need to be pushed to 3rd party devices as well??