How to renew a Root Certificate

Posted on 2009-07-08
Medium Priority
Last Modified: 2013-12-04
We have a root CA that will expire soon, how we can renew it, and do we need to send it back to all end users in order to reinstall again?

Question by:m1itsupport

Accepted Solution

astrochimp earned 1000 total points
ID: 24807691
LVL 31

Assisted Solution

Paranormastic earned 1000 total points
ID: 24814764
That article gives the basics.  A few extra things:
1) In the CA MMC - right click CAName - All Tasks - Backup CA - backup the cert database and the private key.  Then do a full system backup, including system state - hold onto this copy for at least a month, preferably until the cert expires.
2) Note that if your root is expiring, ALL of your certs that chaing to that root are expiring.  CA servers will not issue a cert past its own validity period - it will truncate them once the defined lifetime exceeds its own expiration date.
3) After renewing, make sure to backup the CA database and private key, issue a fresh CRL and backup the server again.
4) If you haven't experienced a CA renewal yet, note that you may notice a (1) appearing at the end of various filenames - this indicates the 1st renewal and is perfectly normal.
5) Remember to re-deploy the root certificate via GPO, etc. for your clients and servers.
6) When dealing with the root, it is best to use a new keyset instead of reusing the same keyset.  Unless you tell it otherwise, this will be default behavior, but I have seen references that tell you to just keep using the same keyset indefinitely, which is a bad thing.  For subordinates, re-keying is fine as long as you use a fresh keyset every so often - usually 5 years is as long as you want to keep it around.
7) It is best practice to renew CA certs years ahead of time.  It is better to have a 10 year cert that you replace after 5 years than to have a 5 year cert you use for 4.9 years.  See #2 - truncated dates.  Each CA cert should be valid for twice the time period of the longest cert it issues and should be replaced 1/2 of its lifetime.  This prevents certs all expiring at the same time.
8) Yes, you will have 2 CRLs to publish until the original cert expires.  If this is scripted to copy *.crl (instead of caname.crl) to your CDP locations, you should be fine.
9) Commonly forgotton: Remember to copy the new cert to each of the AIA locations.
10) If there were any changes to the CDP, AIA, validity period, key strength (should be 2048), etc. - now is the best time to do it.  This can all be set up ahead of time for the registry settings (or use a CApolicy.inf for cmd line renewal) and will be enforced at the time of cert issuance.

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …
Through the video, you can check the migration process of Outlook PST file to PDF. Kernel for Outlook to PDF tool can convert Outlook emails with all attributes like Subject, To, From, Cc, Bcc and other folders such as Inbox, Outbox, Sent Items, Jun…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question