Can anyone tell me what the best procedure is for replacing a subordinate certificate. I have a offline root CA, on windows 2008 R2 machine. I also have a "online" subordinate CA, also running 2008 R2. Here is my problem: I created a certificate for the subordinate CA, on the offline Root CA server, using a request file. I however forgot to modify / add the CDP extention URL's (and AIA URL's). So I guess the question is, do I change the CDP and AIA extention URL's and issue a new certificate for the subordinate CA server, and replace the current certificate. Or do I have to scrap the subordinate server, uninstall ADCS and install it again? I would realy like to just replace the current certificate on the Subordinate CA, but I don't know the best procedur to do so. Can anyone help?Best regards, Bjorn Moritz

you need to renew Issuing CA certificate. In the CertSrv.msc MMC snap-in choose Renew CA Certificiate. This will generate certificate request file (by default in system drive root). You will have to submit this request to root CA, issue certificate and install it back to issuing CA.http://en-us.sysadmins.lv

Thank you Vadims. I allready uninstalled ADCS and deleted all (those few) certs that I had created and started from the top. But I'll remember your answare for next time :)Best regards, Bjorn Moritz