Root CA corrupted. built new one. Can I point intermediate CA at this and not break issued certs?


Recently we found out that we needed to change the cryptographic HASH algorithm on our CA's to SHA256. Unfortunately our offline Root CA (rootca01) was corrupt and therefore the PKI chain is broken. We have spun up a new Root CA (rootca02) and are wondering whether we can point the intermediate ca (subca01) at rootca2 without breaking the certs currently issued somehow?

What is the best practice for this scenario? Server 2012.

Who is Participating?
You cannot do what you are trying to do. It will break CA authorities

If you have original root ca backup, you can restore it

If not, you need to built new root ca followed by new intermediate CA

If this is not very big network, probably you could just deploy one enterprise root CA (AD Integrated), that's the best option I could see.
Dave HoweSoftware and Hardware EngineerCommented:
No - but you can continue to use the current Intermediate CA until its certificate needs renewal, then renew that from a new Root CA. The loss of your legacy root won't make the intermediate fail in any respect.
if root ca1 has issued intermediate ca cert, it can't be renewed \ requested from another root ca (2)

You can use that intermediate ca until it get expired maximally, better you could take action right now assuming ur network is not very big
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.