Scenario : Standalone root CA validity is set for 10 years, and subordinate enterprise CA validity set for 5 years. Due to a change in requirements, we need to change the enterprise CA validity to 10 years, and the root CA validity to 20 years.
Based on what I've read, I understand that this can be done with minimal impact to clients by renewing the root and subordinate enterprise CAs with the their existing public/private key pair, and specifying the new validity periods during the renewal process.
Questions:
- When I initially setup the standalone root CA, I used certutil -dspublish to publish the root CA cert to AD, so that it would be pushed to the trusted cert store of all domain clients. If renewing root CA with same key pair, do I need to use certutil -dspublish to republish the new root CA cert to AD ?
- If renewing subordinate enterprise CA with same key pair, will clients have 2 enterprise CA certs in their trusted root stores - one cert from before the renewal, and one cert from after renewal ?
- I will need to overwrite the AIA crt locations for both root and subordinate enterprise CA with the newly renewed certs, correct ?
- Renewing with same key pair should have no impact on existing or new CRLs, since the same private key is being used to sign the CRL before and after renewal, correct ?
- I had distributed the root CA and subordinate enterprise CA certs for configuration within our MDM solution. Would I need to redistribute the new certs after renewal to the MDM solution, or would it automatically pick up the new certs from the new AIA location ?
- Do you know of a good step-by-step guide for the process to renew a root and subordinate CA certificate with the same key pair and extend the validity period of the CAs ?
Thanks in advance for your help !
Regards,
Mario