How to validate cert chain after root ca renewal
HiWhen renewing the root ca and all the underlying ca's how will you be able to verify the old previous cert chain if the crl is signed with new keys?How does this work?
January 19th, 2010 1:24pm

This done through the use of a pair of cross-ca certificates that are automatically issued when renewing a CA with a new key pair.http://technet.microsoft.com/en-us/library/dd299893(WS.10).aspxPaul Adare CTO IdentIT Inc. ILM MVP
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 1:33pm

Ok, thanks.Edit: refraised.My CDP/AIA looks like thiscertutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap://%myLDAPserver%/CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n2:%myhttpPKIvroot%/%%3%%8%%9.crl"certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap://%myLDAPserver%/CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:%myhttpPKIvroot%/%%1_%%3%%4.crt"Will the %8 in the CDP automatically ensure a "new" name for the CRLs when a new ca cert (with new keys) has been issued?Also, am I missing a %8 in the AIA or how will I stop my new ca cert from overwriting the old ca cert?Btw this is all 2003.
January 19th, 2010 3:46pm

You don't need a new name for the CRLs. %8 only applies to CRLs, not certs. The corresponding value for certs is %4. Any cert generated by renewing with a new keypair will have (n) where "n" is a number that increments for each renewal appended to the left of the "." in the file name. That's what the %4 does.Paul Adare CTO IdentIT Inc. ILM MVP
Free Windows Admin Tool Kit Click here and download it now
January 19th, 2010 5:15pm

Does the cross-ca certificate issuance only apply when renewing a root CA? I will be renewing an issuing CA, will there still be cross certificates? Thanks.
February 4th, 2012 3:50pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics