Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to renew a Root Certificate

Posted on 2009-07-08
3
Medium Priority
?
10,790 Views
Last Modified: 2013-12-04
We have a root CA that will expire soon, how we can renew it, and do we need to send it back to all end users in order to reinstall again?

0
Comment
Question by:m1itsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
astrochimp earned 1000 total points
ID: 24807691
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 1000 total points
ID: 24814764
That article gives the basics.  A few extra things:
1) In the CA MMC - right click CAName - All Tasks - Backup CA - backup the cert database and the private key.  Then do a full system backup, including system state - hold onto this copy for at least a month, preferably until the cert expires.
2) Note that if your root is expiring, ALL of your certs that chaing to that root are expiring.  CA servers will not issue a cert past its own validity period - it will truncate them once the defined lifetime exceeds its own expiration date.
3) After renewing, make sure to backup the CA database and private key, issue a fresh CRL and backup the server again.
4) If you haven't experienced a CA renewal yet, note that you may notice a (1) appearing at the end of various filenames - this indicates the 1st renewal and is perfectly normal.
5) Remember to re-deploy the root certificate via GPO, etc. for your clients and servers.
6) When dealing with the root, it is best to use a new keyset instead of reusing the same keyset.  Unless you tell it otherwise, this will be default behavior, but I have seen references that tell you to just keep using the same keyset indefinitely, which is a bad thing.  For subordinates, re-keying is fine as long as you use a fresh keyset every so often - usually 5 years is as long as you want to keep it around.
7) It is best practice to renew CA certs years ahead of time.  It is better to have a 10 year cert that you replace after 5 years than to have a 5 year cert you use for 4.9 years.  See #2 - truncated dates.  Each CA cert should be valid for twice the time period of the longest cert it issues and should be replaced 1/2 of its lifetime.  This prevents certs all expiring at the same time.
8) Yes, you will have 2 CRLs to publish until the original cert expires.  If this is scripted to copy *.crl (instead of caname.crl) to your CDP locations, you should be fine.
9) Commonly forgotton: Remember to copy the new cert to each of the AIA locations.
10) If there were any changes to the CDP, AIA, validity period, key strength (should be 2048), etc. - now is the best time to do it.  This can all be set up ahead of time for the registry settings (or use a CApolicy.inf for cmd line renewal) and will be enforced at the time of cert issuance.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question