We help IT Professionals succeed at work.

Root CA corrupted. built new one. Can I point intermediate CA at this and not break issued certs?


Recently we found out that we needed to change the cryptographic HASH algorithm on our CA's to SHA256. Unfortunately our offline Root CA (rootca01) was corrupt and therefore the PKI chain is broken. We have spun up a new Root CA (rootca02) and are wondering whether we can point the intermediate ca (subca01) at rootca2 without breaking the certs currently issued somehow?

What is the best practice for this scenario? Server 2012.

Watch Question

Distinguished Expert 2019
You cannot do what you are trying to do. It will break CA authorities

If you have original root ca backup, you can restore it

If not, you need to built new root ca followed by new intermediate CA

If this is not very big network, probably you could just deploy one enterprise root CA (AD Integrated), that's the best option I could see.
Dave HoweSoftware and Hardware Engineer
No - but you can continue to use the current Intermediate CA until its certificate needs renewal, then renew that from a new Root CA. The loss of your legacy root won't make the intermediate fail in any respect.
Distinguished Expert 2019
if root ca1 has issued intermediate ca cert, it can't be renewed \ requested from another root ca (2)

You can use that intermediate ca until it get expired maximally, better you could take action right now assuming ur network is not very big