Hi, We are currently in the process of developing a 2-tier PKI. The Issuing CA's will have a lifetime of 7 years and will issue end-entity certificates with a lifetime of 3 years. My question is: Is there a way to do an in-place renew of the CA-keys and certificate when the 7 years are over and in such a way that we can still revoke certificates signed by the old CA keys and generate CRL's? John Gordijn

Renewing a CA's certificate does not prevent you from being able to revoke certificates nor does it prevent you from publishing new CRLs that relying parties attempting to validate a certificate issued prior to the renew can use. When renewing a CA certificate you have two options; one is to use the same key pair when renewing, the other is to use a new key pair when renewing. In the case of the former, nothing will have changed. In the case of the latter, 2 CrossCA certificates will be issued along with the new CA certificate. The two CrossCA certificates allow chain validation to occur regardless of which CA certificate was used to sign the certificate being validated. One additional comment here is that you don't want to wait until the 7 years are up to renew. A Microsoft CA cannot issue a certificate whose lifetime is more than the lifetime remaining on its certificate. Once your CAs certificate is over 4 years old, your end-entity certificates will not have a 3 year validity period. You're going to want to renew your CA certificate no later than 1/2 of its lifetime. Paul Adare CTO IdentIT Inc. ILM MVP

Hi Paul, Thank you for your answer. Things have become much clearer now. Regarding the new CA certificate: do i have to publish both CA certificates in the AIA location or is only the new one enough? Kind regards, John

The original one should already be there, only the new one needs to be published after renewal (and the CrossCA certs if renewing with a new key).Paul Adare CTO IdentIT Inc. ILM MVP