Hello all,
caused by the expiration date of our CA certificate, we want to renew the CA certificate with the same key.
My question is now: how does the new Root-CA-Certifcate be published to all our domain-joined windows clients?
Is there a out-of-the-box function, like all domain-joined objects will aks the domain if there is a root and automatically trust this root-certificate and also the new root-cert?
Or is this a manual task via a GPO which was done before and now I have to identify the GPO + update the root-cert in this GPO?
Also, is there a best-practice for renewing the root-certifcate?
My first thought was: It's not a big thing, but the more I think about it I see the risk that some functions (validation of certificates) will no longer work properly with some clients.

