Solved

How to renew a Root Certificate

Posted on 2009-07-08
3
9,617 Views
Last Modified: 2013-12-04
We have a root CA that will expire soon, how we can renew it, and do we need to send it back to all end users in order to reinstall again?

0
Comment
Question by:m1itsupport
3 Comments
 
LVL 4

Accepted Solution

by:
astrochimp earned 250 total points
ID: 24807691
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 250 total points
ID: 24814764
That article gives the basics.  A few extra things:
1) In the CA MMC - right click CAName - All Tasks - Backup CA - backup the cert database and the private key.  Then do a full system backup, including system state - hold onto this copy for at least a month, preferably until the cert expires.
2) Note that if your root is expiring, ALL of your certs that chaing to that root are expiring.  CA servers will not issue a cert past its own validity period - it will truncate them once the defined lifetime exceeds its own expiration date.
3) After renewing, make sure to backup the CA database and private key, issue a fresh CRL and backup the server again.
4) If you haven't experienced a CA renewal yet, note that you may notice a (1) appearing at the end of various filenames - this indicates the 1st renewal and is perfectly normal.
5) Remember to re-deploy the root certificate via GPO, etc. for your clients and servers.
6) When dealing with the root, it is best to use a new keyset instead of reusing the same keyset.  Unless you tell it otherwise, this will be default behavior, but I have seen references that tell you to just keep using the same keyset indefinitely, which is a bad thing.  For subordinates, re-keying is fine as long as you use a fresh keyset every so often - usually 5 years is as long as you want to keep it around.
7) It is best practice to renew CA certs years ahead of time.  It is better to have a 10 year cert that you replace after 5 years than to have a 5 year cert you use for 4.9 years.  See #2 - truncated dates.  Each CA cert should be valid for twice the time period of the longest cert it issues and should be replaced 1/2 of its lifetime.  This prevents certs all expiring at the same time.
8) Yes, you will have 2 CRLs to publish until the original cert expires.  If this is scripted to copy *.crl (instead of caname.crl) to your CDP locations, you should be fine.
9) Commonly forgotton: Remember to copy the new cert to each of the AIA locations.
10) If there were any changes to the CDP, AIA, validity period, key strength (should be 2048), etc. - now is the best time to do it.  This can all be set up ahead of time for the registry settings (or use a CApolicy.inf for cmd line renewal) and will be enforced at the time of cert issuance.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safeā€¦
OfficeMate Freezes on login or does not load after login credentials are input.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now