How to renew a Root Certificate

We have a root CA that will expire soon, how we can renew it, and do we need to send it back to all end users in order to reinstall again?

m1itsupportAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

astrochimpCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ParanormasticCryptographic EngineerCommented:
That article gives the basics.  A few extra things:
1) In the CA MMC - right click CAName - All Tasks - Backup CA - backup the cert database and the private key.  Then do a full system backup, including system state - hold onto this copy for at least a month, preferably until the cert expires.
2) Note that if your root is expiring, ALL of your certs that chaing to that root are expiring.  CA servers will not issue a cert past its own validity period - it will truncate them once the defined lifetime exceeds its own expiration date.
3) After renewing, make sure to backup the CA database and private key, issue a fresh CRL and backup the server again.
4) If you haven't experienced a CA renewal yet, note that you may notice a (1) appearing at the end of various filenames - this indicates the 1st renewal and is perfectly normal.
5) Remember to re-deploy the root certificate via GPO, etc. for your clients and servers.
6) When dealing with the root, it is best to use a new keyset instead of reusing the same keyset.  Unless you tell it otherwise, this will be default behavior, but I have seen references that tell you to just keep using the same keyset indefinitely, which is a bad thing.  For subordinates, re-keying is fine as long as you use a fresh keyset every so often - usually 5 years is as long as you want to keep it around.
7) It is best practice to renew CA certs years ahead of time.  It is better to have a 10 year cert that you replace after 5 years than to have a 5 year cert you use for 4.9 years.  See #2 - truncated dates.  Each CA cert should be valid for twice the time period of the longest cert it issues and should be replaced 1/2 of its lifetime.  This prevents certs all expiring at the same time.
8) Yes, you will have 2 CRLs to publish until the original cert expires.  If this is scripted to copy *.crl (instead of caname.crl) to your CDP locations, you should be fine.
9) Commonly forgotton: Remember to copy the new cert to each of the AIA locations.
10) If there were any changes to the CDP, AIA, validity period, key strength (should be 2048), etc. - now is the best time to do it.  This can all be set up ahead of time for the registry settings (or use a CApolicy.inf for cmd line renewal) and will be enforced at the time of cert issuance.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.