Solved

How to renew a Root Certificate

Posted on 2009-07-08
3
9,740 Views
Last Modified: 2013-12-04
We have a root CA that will expire soon, how we can renew it, and do we need to send it back to all end users in order to reinstall again?

0
Comment
Question by:m1itsupport
3 Comments
 
LVL 4

Accepted Solution

by:
astrochimp earned 250 total points
ID: 24807691
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 250 total points
ID: 24814764
That article gives the basics.  A few extra things:
1) In the CA MMC - right click CAName - All Tasks - Backup CA - backup the cert database and the private key.  Then do a full system backup, including system state - hold onto this copy for at least a month, preferably until the cert expires.
2) Note that if your root is expiring, ALL of your certs that chaing to that root are expiring.  CA servers will not issue a cert past its own validity period - it will truncate them once the defined lifetime exceeds its own expiration date.
3) After renewing, make sure to backup the CA database and private key, issue a fresh CRL and backup the server again.
4) If you haven't experienced a CA renewal yet, note that you may notice a (1) appearing at the end of various filenames - this indicates the 1st renewal and is perfectly normal.
5) Remember to re-deploy the root certificate via GPO, etc. for your clients and servers.
6) When dealing with the root, it is best to use a new keyset instead of reusing the same keyset.  Unless you tell it otherwise, this will be default behavior, but I have seen references that tell you to just keep using the same keyset indefinitely, which is a bad thing.  For subordinates, re-keying is fine as long as you use a fresh keyset every so often - usually 5 years is as long as you want to keep it around.
7) It is best practice to renew CA certs years ahead of time.  It is better to have a 10 year cert that you replace after 5 years than to have a 5 year cert you use for 4.9 years.  See #2 - truncated dates.  Each CA cert should be valid for twice the time period of the longest cert it issues and should be replaced 1/2 of its lifetime.  This prevents certs all expiring at the same time.
8) Yes, you will have 2 CRLs to publish until the original cert expires.  If this is scripted to copy *.crl (instead of caname.crl) to your CDP locations, you should be fine.
9) Commonly forgotton: Remember to copy the new cert to each of the AIA locations.
10) If there were any changes to the CDP, AIA, validity period, key strength (should be 2048), etc. - now is the best time to do it.  This can all be set up ahead of time for the registry settings (or use a CApolicy.inf for cmd line renewal) and will be enforced at the time of cert issuance.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

4 Experts available now in Live!

Get 1:1 Help Now