SSL certificates

Hi Experts,
I am new to SSL certificates and want to know if my certificate has  a chain of 3 levels under the root certificate, and say the second intermediate expires, does it invalidate the third level also? I mean can I just request renewal of the second level intermediate certificate or do I request renewal of all the levels? appreciate your answers.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
If your intermediate cert authority expires then so does your cert. You will need to get a new cert generated again if the intermediate has expired.

btanExec ConsultantCommented:
Strictly speaking is it is single chain and any of the CA in that one chain is invalid or not trusted. The check on cert will be also invalid - in other words failed to established the required SSL connection etc.

But do note that renewing the CA certificate typically doesn't impact the PKI trust chain validation process that your PKI clients use for validating previously issued and newly issued certificates. We can see the certificates as invalid or are not trusted if they meet some condition and in your context, listed some below (also ref from MS)
- The start and expiration dates are improper or expired
- The certificate is listed as revoked in a published certificate revocation list.
- The issuing CA is not in either a trusted certification hierarchy or a CTL.
- The root CA for the certification path is not in the Trusted Root Certification Authorities store
- The certificate is not permitted for the intended use as specified in a CTL

However, if there are more than one chain of trust - yes which is possible - then an expired CA certificate in the certification path need not invalidate the path provided above condition minimally is not matched. Multiple certificate chains exist if any of the CAs in the certificate path renews their certificates.
In each case, the renewal of a CA certificate will result in more than one certificate path being generated for the end certificate. For example, if the EastCA certificate was renewed with a new serial number of 57 using the same public/private key and the IssuingCA certificate was renewed with a new serial number of B7 using a new public/private key pair, the following certificate chains could be generated for the User1 end certificate.
•CorpCA (serial #: A1) => EastCA (serial #: 46) =>IssuingCA (serial #: B3) => User1 (serial #: B6)
•CorpCA (serial #: A1) => EastCA (serial #: 57) =>IssuingCA (serial #: B3) => User1 (serial #: B6)
•CorpCA (serial #: A1) => EastCA (serial #: 46) =>IssuingCA (serial #: B7) => User1 (serial #: B6)
•CorpCA (serial #: A1) => EastCA (serial #: 57) =>IssuingCA (serial #: B7) => User1 (serial #: B6)

Only through the path validation process will the best chain be found for the User1 certificate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.