question

51892182 avatar image
0 Votes"
51892182 asked FanFan-MSFT commented

if ent CA renew with new key, does client know to chain up previous issued cert with previous ent CA cert, but not latest CA cert?

client have old ent ca cert(not expire yet), new ent ca cert (the latest)
so, when win 10 check the previous issued cert which issued by old ent ca cert, does it know to chain up with old ent ca cert by SKID? rather then always choose latest CA cert?

windows-10-securitywindows-server-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

if renew with new key, then have old and new CA cert? how to chain up the previous issued cert? which one is the priority ? by SKID-AKID? latest CA cert?
by skid-akid will find the right one, by latest will wrong, but not always find the latest one?

0 Votes 0 ·

Hi,
 
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Based on my research, there will be some difference when renew CA cert with the new key pair and existing key pair.

When you renew CA certificate with existing key pair, nothing important in certificate is changed. The certificate will contain the same public and private key. As the result all previously issued certificates will chain up to new CA cert without any changes.

When you renew CA certificate with new key pair, previously issued certs by old CA cert will chain up to previous CA cert and newly issued certs will chain up to new CA cert respectively.
For more information, you can refer to the following link: https://www.sysadmins.lv/blog-en/root-ca-certificate-renewal.aspx
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered FanFan-MSFT commented

does client know to chain up previous issued cert with previous ent CA cert, but not latest CA cert?

why client would want this? I already explained you the difference between renewal types here.

so, when win 10 check the previous issued cert which issued by old ent ca cert, does it know to chain up with old ent ca cert by SKID? rather then always choose latest CA cert?

why? It makes zero sense.





· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Crypt32
thank you for the explain, but i still be confused about some details, let me conclude all mentions from you and FanFan
at the link
if-ent-ca-renew-with-new-key-does-client-can-chain.html


and this link
1 if renew with same key, since SKID no change, it will always work (FanFan part) until previous CA cert expire, Windows will select either one even expired ca cert, the problem will happen(Crypt32 part)
- but i still wondering that the (FanFan' link https://www.sysadmins.lv/blog-en/root-ca-certificate-renewal.aspx) say this
(When you renew CA certificate with existing key pair, nothing important in certificate is changed. The certificate will contain the same public and private key. As the result all

0 Votes 0 ·

previously issued certificates will chain up to new CA cert without any changes. ) ,then windows may choose the latest CA cert because it has "version"


if renew with new key
1 previous cert will end as previous CA date, it is perfect(Crypt32 part)
2 previous cert can only chain up with previous CA, new cert can only chain up with new CA( FanFan's link), there are extra "CrossCA" cert must be deployed
- i suppose this is going to renew at same server, if i bulid up a new server with new key, with a new CA Name, there is no need CrossCA anymore, the solution will be perfect?

0 Votes 0 ·

Cross-certificates are used only for root CA renewals, they are not used for any intermediate CA renewal.

0 Votes 0 ·

Hi,,
Would you please tell what did you want to do with your ROOT CA?
Build a new CA server or just renew the CA cert?

Best Regard,

0 Votes 0 ·