Greetings, I have inherited a working Windows 2003 two-tier PKI topology - an offline Root CA and two online Enterprise issuing CA's. Here's the issue; the two issuing CA's have 10 year certs on them - they're going to expire soon, less than a year. I know the best practice is to renew them much sooner, but like I said, I've inherited this system. Since the issuing CA's have 10 year certs on them, and this is the first time they've been renewed, I feel it's best to generate a new key pair upon renewal. My questions are: * Will generating the new key pair affect any of the existing certificates that were issued by the CA's (i.e. cause them not to work - invalidate them)? * I know generating a new key pair will also create a new CRL distribution point, and possibly a new Subject Key Identifier - is there anything else? * The existing Issuing CA certs are 1024-bit - I would like to increase them to 2048-bit, has anyone ran into compatibility issues here? I know there are some older appliances that can't handle the longer key length, but I don't believe we have any in our environment. Thank you, MrT

Vadims, Thank you for your swift response; it was very helpful. I have two other questions, one regarding Windows client machines, and one regarding Linux: When I renew the Issuing CA cert with a new key pair how will it affect the certificate store on my domain joined Windows machines? For example, certmgr.msc -> "Intermediate Certification Authorities\Certificates" - right now I have the Issuing CA cert there, but when I renew it, will it update the local store automatically, autoenroll?What about Linux servers that have the Issuing CA cert installed - after I renew it with a new key pair will they have to manually remove the old CA cert and replace it with the new - I assume the Linux servers don't have an auto-enrollment feature? Thank you again, MrT