Re: Win2003 CA Cert Renewal

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 10/01/04 

Date: Fri, 1 Oct 2004 23:17:12 +0200

Hi,

If you renew the CA certificate it will use the new key as well as any
unexpired previous keys corresponding to previous certificates when
generating revocation information (CRLs). Therefore, a CA may be using
multiple keys at the same time and will publish multiple CRLs corresponding
to those keys.

So, you may continue to use existing keys that are distributed to your
users/clients until they expire...

For additional information check out these resources:

Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx

Implementing and Administering Certificate Templates in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx

Best Practices for Implementing a Microsoft Windows Server2003 Public Key
Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx

PKI Enhancements in Windows XP Professional and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx

Managing a Windows Server 2003 Public Key Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx

Advanced Certificate Enrollment and Management
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

Mike

"MC" <anonymous@discussions.microsoft.com> wrote in message
news:0cb201c4a7f3$216b7b00$a501280a@phx.gbl...
> Hi,
>
> Windows Server 2003 Certification Authority
> Windows XP SP1 Clients
> 2 CAs: RootCA offline, Subordinate enterprise CA (signed
> by RootCA)
>
>
> What will happen if I renew the Certificate of my
> Enterprise sub ordinate CA ?
> Do I have to renew all client certificates (e.g. stored
> on smart cards for windows logon or s/mime encryption) at
> the same time?
>
> Is there any way that the user certificates on smart
> cards renew automatically their certificates and private
> keys ?
>
> Thanks for answers.
>
>
>

Relevant Pages

  • Re: Win2003 CA Cert Renewal
    ... >If you renew the CA certificate it will use the new key ... >multiple keys at the same time and will publish multiple ... >Windows Server 2003 PKI Operations Guide ...
    (microsoft.public.windows.server.general)
  • Re: RSA vs AES
    ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ...
    (sci.crypt)
  • Re: What to do with certificates when profile is deleted/recreated?
    ... Best Practices for implementing Windows Server 2003 PKI: ... Troubleshooting Certificate Status and Revocation whitepaper: ... Windows Server 2003 web enrollment and troubleshooting guide: ... roaming user profiles ...
    (microsoft.public.windows.server.security)
  • Re: SSH vs. IKE trust models (was Re: Insecure IKE Implementations Clarification)
    ... >notebook, all the keys I need have already been stored, that's why I can ... Especially on university networks, you'll have to ... dsniff already handles the certificate case pretty well. ... >prohibitive ($200 per SSH server is a hefty price tag). ...
    (Bugtraq)
  • Re: Isolation of the Root CA
    ... Windows Server 2003 web enrollment and troubleshooting guide: ... Best Practices for implementing Windows Server 2003 PKI: ... Troubleshooting Certificate Status and Revocation whitepaper: ... >>> standalone root CA and use it to issue a certificate for an Enterprise ...
    (microsoft.public.win2000.security)