when the migration from CSP and SHA-1 to KSP and SHA-2 finished on a 1-tier-PKI, the CA signs new certificates and CRLs with SHA256.
Do I have to renew the CA certificate?
What happens if I do not renew the CA certificate?
Do I have to use "renew with new key"?
It would be nice if someone could explain his answers a little bit.