the Certificate, but do I renew with the Same Key or a New Key, also will that effect the CRLs, will I have to do anything else?
There is an amazing pack of free network admin tools. click here to download it
Remote Support Software
Provide instant remote support to customers and employees:
Click here for a free trial
Provide instant remote support to customers and employees:
Click here for a free trial
How to renew Subordinate Certificate Authority certificate?
We have a 2003 three tier PKI. I would like to renew the issuing (aka level three) servers certificates, since they only have (for example) 6 months left, and I want to issue 1 year long certificates. I know I can just go to the MMC and Renew
the Certificate, but do I renew with the Same Key or a New Key, also will that effect the CRLs, will I have to do anything else?
There is an amazing pack of free network admin tools. click here to download it
the Certificate, but do I renew with the Same Key or a New Key, also will that effect the CRLs, will I have to do anything else?
There is an amazing pack of free network admin tools. click here to download it
March 23rd, 2012 9:28am
It depends on a various factors. When you renew CA certificate you will be asked whether you want to generate a new key pair, or use existing. Also there is information about scenarios when you need to renew with existing key pair:
1) CA keys are compromised
2) you want to reduce CRL size
3) you want to use different keys (for example, increase or reduce key length).
yes, since you are using Offline Policy CA, you will have to manually submit renewal request (which is generated in system drive root by default) and install issued certificate by using MMC snap-in or 'certutil -installcert' command.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
There is an amazing pack of free network admin tools. click here to download it
1) CA keys are compromised
2) you want to reduce CRL size
3) you want to use different keys (for example, increase or reduce key length).
yes, since you are using Offline Policy CA, you will have to manually submit renewal request (which is generated in system drive root by default) and install issued certificate by using MMC snap-in or 'certutil -installcert' command.My weblog:
http://en-us.sysadmins.lv
PowerShell PKI Module:
http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
There is an amazing pack of free network admin tools. click here to download it
March 23rd, 2012 9:49am
For revocation checking purposes, I usually recommend renewing with a new key pair. But before doing that, make sure that you have versioning information in your AIA and CDP URLs. If you used the default names for certificates %1_%3%4.crt and %3%8%9.crl
for HTTP URLs, then you are fine. If not, fix those URLs **PRIOR** to renewing.
Brian
There is an amazing pack of free network admin tools. click here to download it
for HTTP URLs, then you are fine. If not, fix those URLs **PRIOR** to renewing.
Brian
There is an amazing pack of free network admin tools. click here to download it
March 23rd, 2012 10:43am
This topic is archived. No further replies will be accepted.
Other recent topics
