During a CA cert renew with same key material or New Key material, can you postpone the use of that cert for a certain amount of time? Scenario, we currently use CERT1 and we renew the cert with CERT2 with the same key material. However we want to continue to use CERT1 for an additional X months while other systems populate their trust chain with the public cert of CERT2(linux, unix, applications, etc). Same scenario but CERT2 is new key material? I believe that Verisign allows for this, and I am not sure if Microsoft CA allows for it.Any help would be appreciated.

Once you renew, the CA will start using the new certificate for all future certificate signing.The CA still maintains the previous certificate (and key pair) so multiple CRLs are published at that pointIs your CA a root CA or a subordinate CA.If it is a subordinate, than AIA chasing will build the proper chains (if configured correctly)If it is a root CA, then the renewal (if with a new key pair) generates to additional cross CA certs that would allow clients to build chains to the original trusted root CA (using AIA chasing again)Brian

It is a subordinate CA, and it is configured correctly. I had a request from our ops team to see if the new cert (renewal) could be postponed. The vendor we had before we brought PKI in-house, allowed for this functionality. I didn't think that MS CA allowed for this functionality, but figured if anyone knew a certutil/reg entry to allow for this it would be you. So I am taking that 2003 doesn't allow for this. The Ops team will not like this but nothing I can do at this point. There is a time gap to roll out the new public key to all environments that are not utilizing AD to get the published Key in the configuration container; or application that either have bad coding and have it built into their compiled code (don't get me started on this) or those applications that use their own keystores.

This is a common issue when you have an integrated/heterogeneous environment.Be sure to include in your updates:- Custom applications- Java stores ***- Each application that uses certificates on Unix/Linux machinesAlso remember that when you install new SSL certs, include the entire chain. The root should be the same, but Firefox and Safari have a history of not doing AIA chasingBrian