I guess it should be alright if you renewing with the same key pair. If you
are renewing with a new key pair then the values you put in the AIA and CDP
extensions become important. If you didn't put the suffix in the AIA and CDP,
the CA will publish its new CDP to the same location as the old one. In this
case, the applications that come to collect the old CRL expect it to be
signed by the old CA cert - instead they will find that the signature is now
from a new CA Cert and they will fail. However, if you have the suffix
properly in the CDP then then the new CRL will go to http:\\foo(1).crl which
is the new CA CRL. And in the new certificates issued by this new CA cert,
the CRL will be put in the certs as http:\\foo(1).crl.
I hope you have a test environment parallel to the production environment.
You could test it there.
"ritchie1230" wrote:
> Hello,
>
> I have a w2003 standalone root ca ( 2 enterprise issuing ca's) I want
> to renew the root ca to extend the validity period from 5 to 10 years.
> I have configured the CAPolicy.inf file similar to below:
>
>
> [Version]
> Signature= "$Windows NT$"
> [Certsrv_Server]
> RenewalKeyLength=2048
> RenewalValidityPeriod=Years
> RenewalValidityPeriodUnits=10
> [CRLDistributionPoint]
> Empty=True
> [AuthorityInformationAccess]
> Empty=True
>
> I intend to renew with the same key pair. The root ca is approximately
> 2.5 years into its 5 year validity period.
>
> My question is this: In looking at the properties of the root ca -
> under the extensions tab, there are ldap and http entries under both
> CDP and AIA areas.
>
> Under AIA - ldap - Include in the AIA extension of issued certificates
> is checked
> Under AIA - http - Include in the AIA extension of issued certificates
> is checked
>
> Under CDP - ldap - Include in all CRLs. Specifies where to publish in
> the Active Directory when publishing manually is checked
> Include in the CDP extension of issued certificates is checked
>
> Under CDP - http - Include in the CDP extension of issued certificates
> is checked
>
> Can these entries remain there while I renew the root ca certificate
> or should they be removed? My concern is that if I renew the root ca
> while these entries are in place is that when I publish the renewed
> root ca certificate to active directory that these entries will try to
> resolve and cause errors.
>
> Please let me know if I need to provide additional detail
>
> Regards,
>
> Ritchie
> .
>
|
Similar Threads
Linear Mode
