Hello again, I have disabled the AlternateSignatureAlgorithm setting on both offline root CA and online issuing CA. I have renewed the SubCA certificate for the online issuing CA only. I have copied the the latest CRL file from the offline root CA and dspublished to the AD forest/domain. I have found out that the online issuing CA has two valid SubCA certificates now: MyOnlineCA_Server_Online-IssuingCA-01(1).crt (new with AlternateSignatureAlgorithm disabled) MyOnlineCA_Server_Online-IssuingCA-01.crt (old with AlternateSignatureAlgorithm enabled) How can I remove the old SubCA certificate? I have similar situation for my user certicates too. I have retrieved a new certificate from the online issuing CA nad the new certificate seems fine. But I still have the old user certificate. I believe that I can revoke the old certificate with "Superseded". Am I right? How do I revoke the old SubCA certificate? Thanks, SJJ123

> How can I remove the old SubCA certificate?You can remove it from AD using ADSIEdit.msc or using pkiview.msc console. Locate your CA record in the Enrollment Services container and remove particular certificate. Also you may have to remove unused certificate from AIA and NTAuthCertificates containers.> I believe that I can revoke the old certificate with "Superseded".yes.> How do I revoke the old SubCA certificate?Revoke it from parent CA and republish CRLs.http://www.sysadmins.lv

Just to make sure...You realize the revoking the old SubCA certificate will result in all previously issued certificates signed by that CA certificate are revoked.This could cause huge issues for you.There is no problem with the CA having both CA certificates in use.If you renewed with a new key, there will be two CRLs published each time you publish an updated CRL or delta CRL (one for each CA certificate version).Brian

> This could cause huge issues for you.I assume (based on previous posts) that there aren't issued so much certificates. So if Autoenrollment is enabled here is a way to redeploy them.http://www.sysadmins.lv

Hello Brian and Vadims, I have only issued 10 certificates on the online issung CA: three User certificates for test purposes - manual four CA Exchange - automatic two web server certificates for the default online issuing CA website - manual One Basic EFS certificate - automatic I assume that certificates issued automcally will be re-issued automatically too after revoking the SubCA certificate and re-publishing CRL from the offline root CA. On the offline root CA, I should revoke the SubCA certifcate with "Superseded". Am I right? I have renewed the SubCA certificate with a new key and I have not enabled/applied GPO to perform Autoenrollment. Thanks, Shang

> I assume that certificates issued automcally will be re-issued automatically too after revoking the SubCA certificate and re-publishing CRL from the offline root CA.If no autoenrollment/ACR policy is enabled, no certificates will be renewed automatically. But you should consider a delay between new CRL will be published and when clients will download it. This is bacause clients will use previous cached CRL until it expires. Also keep in mind that you cannot renew existing certificates if they are revoked, because renewal request is signed by existing certificate.> On the offline root CA, I should revoke the SubCA certifcate with "Superseded". Am I right?Yes. However while your CA certificate is not compromised you may leave SubCA certificate as is. In that case if you wish to redeploy old certificates you will need to revoke them on SubCA manually.http://www.sysadmins.lv

Hello Vadims, Tyhank you very much. As my CA is not compromised, I do not need revoke the old SubCA certificate. May I assume that the default ADCS website http://servername/certsrv will serve the certificate requests from the new SubCA certificate by default? Regards, SJJ123

> May I assume that the default ADCS website http://servername/certsrv will serve the certificate requests from the new SubCA certificate by default?afaik, yes.http://www.sysadmins.lv