izgoblin
asked on
Renewing root CA certificate on Windows 2008 with new key. What to look out for?
I created my root CA certificate and key on Windows 2000 and somehow foolishly selected to use a 512-bit RSA key which I only just realized recently. I need to regenerate a more secure key and recreate my root CA cert ASAP. Unfortunately I can't find any useful articles on how to do this on Windows 2008 R2 as the ones I've seen specifically reference 2000 or 2003.
What will be the immediate result of generating a new key and root CA certificate? I know that I will need to then issue new certificates for every web server, our code signing certificate, and any other certificates manually issued. Before doing so, I have to obviously ship out the new root CA cert to all clients. Can I safely regenerate the root key and cert now and reissue web server certs as time permits?
Any insight as to what I would need to look out for when doing this would be much appreciated. I would like to get this done ASAP but want to make sure I don't break something and have to rush to fix it.
What will be the immediate result of generating a new key and root CA certificate? I know that I will need to then issue new certificates for every web server, our code signing certificate, and any other certificates manually issued. Before doing so, I have to obviously ship out the new root CA cert to all clients. Can I safely regenerate the root key and cert now and reissue web server certs as time permits?
Any insight as to what I would need to look out for when doing this would be much appreciated. I would like to get this done ASAP but want to make sure I don't break something and have to rush to fix it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That article is perfect. That's what I'm going to have to do - set up a new PKI to avoid breaking anything issued prior. Much appreciated.
Log on to the system as a Certification Authority Administrator.
Open Certification Authority.
In the console tree, click the name of the certification authority (CA).
Where?
Certification Authority (Computer)/CA name
On the Action menu, point to All Tasks, and click Renew CA Certificate.
Do one of the following:
If you want to generate a new public and private key pair for the certification authority's certificate, click Yes.
If you want to reuse the current public and private key pair for the certification authority's certificate, click No.
Note
To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.