Root CA corrupted. built new one. Can I point intermediate CA at this and not break issued certs?


Recently we found out that we needed to change the cryptographic HASH algorithm on our CA's to SHA256. Unfortunately our offline Root CA (rootca01) was corrupt and therefore the PKI chain is broken. We have spun up a new Root CA (rootca02) and are wondering whether we can point the intermediate ca (subca01) at rootca2 without breaking the certs currently issued somehow?

What is the best practice for this scenario? Server 2012.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You cannot do what you are trying to do. It will break CA authorities

If you have original root ca backup, you can restore it

If not, you need to built new root ca followed by new intermediate CA

If this is not very big network, probably you could just deploy one enterprise root CA (AD Integrated), that's the best option I could see.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave HoweSoftware and Hardware EngineerCommented:
No - but you can continue to use the current Intermediate CA until its certificate needs renewal, then renew that from a new Root CA. The loss of your legacy root won't make the intermediate fail in any respect.
if root ca1 has issued intermediate ca cert, it can't be renewed \ requested from another root ca (2)

You can use that intermediate ca until it get expired maximally, better you could take action right now assuming ur network is not very big
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.