Re: root ca renewalkeylength change

On Jul 10, 2:05 pm, ritchie1...@xxxxxxxxx wrote:
On Jul 9, 11:42?am, Brian Komar <bkom...@xxxxxxxxxxxxxxxxx> wrote:





On Mon, 09 Jul 2007 06:58:19 -0700, ritchie1...@xxxxxxxxx wrote:
On Jul 7, 9:38?pm, Brian Komar <bkom...@xxxxxxxxxxxxxxxxx> wrote:
Answers inline...

On Sat, 07 Jul 2007 15:29:26 -0700, ritchie1...@xxxxxxxxx wrote:
Hello,

I recently installed a certification authority (windows server 2003 R2
SP2) consisting of a standalonerootcaand one enterprise subordinate
issuingca.

I installed therootcawith a private/public key length of RSA 4096
bits and would like to change it to RSA 2048 bits.

I understand that I could change it by changing the value in the
CAPolicy.infRenewalKeyLength=2048 (from 4096) and performing a
renewaltherootca.

Yes, this is the *only* way to do it, short of reinstalling the entireCA
hierarchy (newrootCA, and new issuingCA).

I would like to know if this can be achieved by renewing therootca
with the same key, or do I have to choose a new key.

OK.... Think about this one carefully. You want to change to a 2048 bit
key... And you want to use the same 4096 bit key to accomplish this... And
this will work because....
Seriously, the answer is no. You cannot create a 2048 bit key out of an
existing 4096 bit key.

Secondly, if I need to choose a new key, do I have to renew my issuing
certification authority and request a new certificate from theroot.

If you are doing this because certain apps are failing due to inability to
recognize the 4096 bitrootCA(Java, Cisco VPN 3000, Nortel Contivity are
common culprits), you will have to renew the issuingCAcertificate, and
then request new certificates for *all* clients (users and machine).

Thanks,

No Problem.

Thank you for your response,

I have another question regarding the renewal at the IssuingCA. I
expect to keep the key length the same at the issuingca.

Do I need to generate a new public and private key pair, or can I
reuse the current public and private key pair?

Thank you,

You can re-use the key pair in this case.
Brian- Hide quoted text -

- Show quoted text -

Thank you again,

I hope I am not wearing out my welcome with this post,

I ran through the renewal process in our lab without a hitch,

As I am going through the process in production, I go through the
process of renewing therootca, transfer the updated certificate
file to the subordinateca, publish it to Active Directory,

publish the CRL to Active Directory,

Copy the updated .crt and crl files to the designated http location.

When I attempt to renew the issuingca(with a new key pair "same as
in the lab") The process looks ok, the certificate services restart
and generate the following error message

"the system cannot find the path specified 0x80070002 (WIN32:2)

Any ideas on what may be causing this error,

Thanks,- Hide quoted text -

- Show quoted text -

Correction:

The error was as follows,

"The system cannot find the path specified. 0x80070003 (WIN32: 3)"

Note: I am using a central website location for http publication, not
the default location on the issuing CA's

Thanks,

.

Relevant Pages

  • Re: root ca renewalkeylength change
    ... SP2) consisting of a standalonerootcaand one enterprise subordinate ... renewaltherootca. ... hierarchy (newrootCA, and new issuingCA). ... certification authority and request a new certificate from theroot. ...
    (microsoft.public.security)
  • Re: root ca renewalkeylength change
    ... renewaltherootca. ... hierarchy (newrootCA, and new issuingCA). ... then request new certificates for *all* clients. ... There is a reference in the Microsoft Certificate Services build guide ...
    (microsoft.public.security)