Renew Issuing CA Cert - New Key Pair

greetings,

have inherited working windows 2003 two-tier pki topology - offline root ca , 2 online enterprise issuing ca's.

here's issue; 2 issuing ca's have 10 year certs on them - they're going expire soon, less year.  know best practice renew them sooner, said, i've inherited system.

since issuing ca's have 10 year certs on them, , first time they've been renewed, feel it's best generate new key pair upon renewal.

my questions are:

* generating new key pair affect of existing certificates issued ca's (i.e. cause them not work - invalidate them)?

* know generating new key pair create new crl distribution point, , possibly new subject key identifier - there else?

* existing issuing ca certs 1024-bit - increase them 2048-bit, has ran compatibility issues here?  know there older appliances can't handle longer key length, don't believe have in our environment.

thank you,

mrt

> generating new key pair affect of existing certificates issued ca's (i.e. cause them not work - invalidate them)?

no. existing certificates valid until expire.

>  i know generating new key pair create new crl distribution point, , possibly new subject key identifier - there else?

it depends. if have default cdp , aia extension configuration, should work normally. common mistake when custom aia extension not include <certificatename> , cdp not include <crlnamesuffix> variables. cause previous crls , ca certificate files rewrited new files, , existing certificates become invalid.

> existing issuing ca certs 1024-bit - increase them 2048-bit, has ran compatibility issues here?  know there older appliances can't handle longer key length, don't believe have in our environment.

i don't know application can't handle 2048-bit keys. yes, there few applications not support longer keys, 2048 — must.

---

my weblog: http://en-us.sysadmins.lv
powershell pki module: http://pspki.codeplex.com
windows pki reference: on technet wiki

Windows Server  >  Security