Re: CA certificate renwal - three level PKI structure
- From: "Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx>
- Date: Sat, 24 Nov 2007 18:01:39 -0600
There really should not be any issues.
The catch though is that you could have certificates that were issued the day before the enterprise CA was renewed that will need to validate the previous enterprise CA certificate.
What you can do to protect against revocation checking issues is to issue a new CRL at the 2nd tier (before you remove it) that is good for at least 1 year.
Make sure you publish the 1yr+ crl at the relevant CDP locations (and keep the old 2nd CA certificate at the AIA locations) for at least a year
This should allow for a smooth transition
Brian
"Martin" <zanny@xxxxxxxxxxxx> wrote in message news:%23V3x5zuLIHA.5328@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
My organisation have Enterprise CA in the AD domain. Its certificate will expire within 1 year from now, so we need to renew it. It is the "lowest" CA in tree level PKI structure (higher level Root and Sub are standalone CAs).
Renewal event is an occasion to simplify our PKI structure. We don't really need two higer level CAs, two level should be enough. The best solution is to recertify Enterprise CA with Root CA not Sub CA as it was done before. Has anyone did it before ? Is there any danger that PKI services in domain will fail and become ususable ?
Thank you.
Martin.
.
- References:
- CA certificate renwal - three level PKI structure
- From: Martin
- CA certificate renwal - three level PKI structure
- Prev by Date: Re: properly configured windows 2003 server OK without a hardwre firewall?
- Next by Date: Re: properly configured windows 2003 server OK without a hardwre firewall?
- Previous by thread: CA certificate renwal - three level PKI structure
- Index(es):
Relevant Pages
|
|
