Greetings, I have inherited a working Windows 2003 two-tier PKI topology - an offline Root CA and two online Enterprise issuing CA's. Here's the issue; the two issuing CA's have 10 year certs on them - they're going to expire soon, less than a year. I know the best practice is to renew them much sooner, but like I said, I've inherited this system. Since the issuing CA's have 10 year certs on them, and this is the first time they've been renewed, I feel it's best to generate a new key pair upon renewal. My questions are: * Will generating the new key pair affect any of the existing certificates that were issued by the CA's (i.e. cause them not to work - invalidate them)? * I know generating a new key pair will also create a new CRL distribution point, and possibly a new Subject Key Identifier - is there anything else? * The existing Issuing CA certs are 1024-bit - I would like to increase them to 2048-bit, has anyone ran into compatibility issues here? I know there are some older appliances that can't handle the longer key length, but I don't believe we have any in our environment. Thank you, MrT

> Will generating the new key pair affect any of the existing certificates that were issued by the CA's (i.e. cause them not to work - invalidate them)? no. Existing certificates will be valid until they expire. > I know generating a new key pair will also create a new CRL distribution point, and possibly a new Subject Key Identifier - is there anything else? it depends. If you have default CDP and AIA extension configuration, then everything should work normally. This is common mistake when custom AIA extension do not include <CertificateName> and CDP do not include <CRLNameSuffix> variables. This cause that previous CRLs and CA certificate files are rewrited by new files, and existing certificates become invalid. > The existing Issuing CA certs are 1024-bit - I would like to increase them to 2048-bit, has anyone ran into compatibility issues here? I know there are some older appliances that can't handle the longer key length, but I don't believe we have any in our environment. I don't know any application that can't handle 2048-bit keys. Yes, there are few applications that do not support longer keys, but 2048 definitely must.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

> Will generating the new key pair affect any of the existing certificates that were issued by the CA's (i.e. cause them not to work - invalidate them)? no. Existing certificates will be valid until they expire. > I know generating a new key pair will also create a new CRL distribution point, and possibly a new Subject Key Identifier - is there anything else? it depends. If you have default CDP and AIA extension configuration, then everything should work normally. This is common mistake when custom AIA extension do not include <CertificateName> and CDP do not include <CRLNameSuffix> variables. This cause that previous CRLs and CA certificate files are rewrited by new files, and existing certificates become invalid. > The existing Issuing CA certs are 1024-bit - I would like to increase them to 2048-bit, has anyone ran into compatibility issues here? I know there are some older appliances that can't handle the longer key length, but I don't believe we have any in our environment. I don't know any application that can't handle 2048-bit keys. Yes, there are few applications that do not support longer keys, but 2048 definitely must.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Vadims, Thank you for your swift response; it was very helpful. I have two other questions, one regarding Windows client machines, and one regarding Linux: When I renew the Issuing CA cert with a new key pair how will it affect the certificate store on my domain joined Windows machines? For example, certmgr.msc -> "Intermediate Certification Authorities\Certificates" - right now I have the Issuing CA cert there, but when I renew it, will it update the local store automatically, autoenroll?What about Linux servers that have the Issuing CA cert installed - after I renew it with a new key pair will they have to manually remove the old CA cert and replace it with the new - I assume the Linux servers don't have an auto-enrollment feature? Thank you again, MrT

1) When you renew Enterprise CA certificate, it is automatically published to Active Directory and domain clients will automatically retrieve and install renewed CA certificates. 2) If Linux clients can access Authority Information Access in issued certificates to build certificate chain, then it is not necessary to install renewed CA certificate to clients. Consult with Linux documentation to determine whether they require manual intermediate CA certificate installation.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

1) When you renew Enterprise CA certificate, it is automatically published to Active Directory and domain clients will automatically retrieve and install renewed CA certificates. 2) If Linux clients can access Authority Information Access in issued certificates to build certificate chain, then it is not necessary to install renewed CA certificate to clients. Consult with Linux documentation to determine whether they require manual intermediate CA certificate installation.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki